Third respin of this series. Reordered for better safety for bisecting.
The environment scraping is now on by default, but can be disabled with
"-E" in environments where it's not needed.
Also, I've added a patch to make cifs.upcall drop capabilities before
doing most of its work. This may help reduce the attack surface of the
program.
Jeff Layton (4):
cifs.upcall: convert two flags from int to bool
cifs.upcall: switch group IDs when handling an upcall
cifs.upcall: drop capabilities early in program
cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's
/proc/<pid>/environ file
Makefile.am | 2 +-
cifs.upcall.8.in | 9 ++
cifs.upcall.c | 255 +++++++++++++++++++++++++++++++++++++++++++++++++++++--
3 files changed, 256 insertions(+), 10 deletions(-)
--
2.9.3
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
