The main change in this release is to address some regressions that crept in when we switched to a scheme that does not rely on walking /tmp to look for credcaches. We now will use the information from the kernel about the initiating pid, reach into that task's environment and scrape out the $KRB5CCNAME variable. This can be problematic in setuid situations, so we avoid doing that for the root user. It's not a perfect scheme but it's certainly better than what was there before. There are also some mount.cifs cleanups and fixes from Germano Percossi. webpage: https://wiki.samba.org/index.php/LinuxCIFS_utils tarball: ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/ git: git://git.samba.org/cifs-utils.git gitweb: http://git.samba.org/?p=cifs-utils.git;a=summary Detailed list of changes since 6.6 was released: commit c4e51e4dcbd3169638fa3fb13df61fa1fee525a8 Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Sun Nov 27 06:28:29 2016 -0500 cifs-utils: bump version to 6.6.1 for pre-release builds Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> commit 76da9405575d484b33eb4e56466366c8dbe87046 Author: Germano Percossi <germano.percossi@xxxxxxxxxx> Date: Fri Nov 18 18:54:49 2016 +0000 mount.cifs: Removed extra comma in front of domain Signed-off-by: Germano Percossi <germano.percossi@xxxxxxxxxx> commit 57e4e22de7ea79f56471e7eb8cec9db926087f8d Author: Germano Percossi <germano.percossi@xxxxxxxxxx> Date: Fri Nov 18 18:54:50 2016 +0000 mount.cifs: Accept empty domains on the command line If we do not allow empty domains on the command line we are preventing the kernel module from taking different actions if the domain has not been specified at all or just passed empty. In fact, with this fix the cifs module behaves differently once an empty domain is passed: the find_domain_name function is not invoked when an empty domain is passed. It is possible to pass both 'domain=' or 'domain=""' even though the kernel module will accept the former only when associated with the sloppy option. Signed-off-by: Germano Percossi <germano.percossi@xxxxxxxxxx> commit a1f3acd40b265f134a97a739a6898b3958d206b9 Author: Germano Percossi <germano.percossi@xxxxxxxxxx> Date: Fri Nov 18 18:54:51 2016 +0000 mount.cifs: Fixed command line parsing and aligned with kernel The way token matching was done was consuming the parameters namespace quickly. For example, anything starting with "dom" was interpreted with domain, while it could have been a completely different word. The same is true even for "ro". Moreover, many perfectly valid options like "addr" where not accepted. The cifs kernel module is very strict when it comes to names: 'dom' and 'domain' are valid while 'domai' is not, so the userspace tool needs to comply otherwise it becomes very difficult to come up with new names for options. Now, checking is strict and as close as possible to kernel. When it is not, it is just to avoid breaking compatibility with some users. However, workg has been removed because it is too lazy and undocumented. The only variable left without strict checking is 'x-' because the intent is to ignore anything starting in that way Signed-off-by: Germano Percossi <germano.percossi@xxxxxxxxxx> commit 743301da5bf502197beb1f91f98e11eea9070e4e Author: Germano Percossi <germano.percossi@xxxxxxxxxx> Date: Fri Nov 18 18:54:52 2016 +0000 mount.cifs: Remove unneeded stdbool header include Signed-off-by: Germano Percossi <germano.percossi@xxxxxxxxxx> commit d73a52e50d43f07638f34cb860e9824a932508b8 Author: Sachin Prabhu <sprabhu@xxxxxxxxxx> Date: Wed Jan 4 07:45:17 2017 -0500 manpage: document mfsymlinks in the mount.cifs man page Information from the cifs README in the kernel sources is used. Signed-off-by: Sachin Prabhu <sprabhu@xxxxxxxxxx> commit fb7693c50e99f2153500bb3590602993016051b4 Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Sun Feb 12 09:36:12 2017 -0500 cifs.upcall: convert two flags from int to bool Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> commit a6662edb12b267e12bd67424e485ca081a97beb3 Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Mon Feb 13 08:33:02 2017 -0500 cifs.upcall: switch group IDs when handling an upcall Currently, we leave the group ID alone, but in a later patch we'll be changing cifs.upcall to scrape $KRB5CCNAME out of the originating process. At that point, we want to be a little more careful with the process credentials we'll be using. After we get the uid, do a getpwuid and grab the default gid for the user. Then use setgid to set it before calling setuid. Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> commit 109c189bf4720b0d7ed43113e1e26c89c8b15ada Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Wed Feb 15 10:00:45 2017 -0500 cifs.upcall: drop capabilities early in program Much of cifs.upcall can and should be run without elevated privileges. On entry into the program, drop as many capabilities as we can get away with, and then always drop any remaining caps after calling setuid(). Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> commit ed97e4ecab4e9a103c46232785fb76b3f07d0637 Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Sat Feb 11 08:38:46 2017 -0500 cifs.upcall: allow scraping of KRB5CCNAME out of initiating task's /proc/<pid>/environ file Chad reported that he was seeing a regression in cifs-utils-6.6. Prior to that, cifs.upcall was able to find credcaches in non-default FILE: locations, but with the rework of that code, that ability was lost. Unfortunately, the krb5 library design doesn't really take into account the fact that we might need to find a credcache in a process that isn't descended from the session. When the kernel does an upcall, it passes several bits of info about the task that initiated the upcall. One of those things is the PID (the tgid, in particular). We can use that info to reach into the /proc/<pid>/environ file for the process, and grab whatever value of $KRB5CCNAME is there. Then, after switching credentials, set $KRB5CCNAME in the environment to the same value before opening the credcache, to hint to the krb5 libs where they ought to look. This new behavior is on by default, but can be disabled by having request-key pass a '-E' flag to cifs.upcall. Reported-by: Chad William Seys <cwseys@xxxxxxxxxxxxxxxx> Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> commit ec3874fdc669901f4a9e8a90a856f999cd627a3f Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Thu Feb 16 09:55:45 2017 -0500 cifs.upcall: trim even more capabilities We really only need CAP_DAC_READ_SEARCH, not CAP_DAC_OVERRIDE, and only when we are going to probe the environ file. Also, fix the non-libcap-ng trim_capabilities prototype. Reviewed-by: Simo Sorce <simo@xxxxxxxxxx> Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> commit 912cbe49114392bd7c375c4c37698d406eb0660e Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Thu Feb 23 18:49:59 2017 -0500 data_blob: remove need for replace.h We only need ZERO_STRUCT there. Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> commit ebdd0a9d9745f19a13415a65914dcc9993f28e96 Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Thu Feb 23 20:56:27 2017 -0500 spengo.c/asn1.c: remove need for replace.h Just need stdbool.h instead. Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> commit 4849f9fc118bf074ce5efea94fa0c4727a430863 Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Thu Feb 23 18:58:17 2017 -0500 cifs.upcall: remove need for replace.h Take just what we need from replace.h and move it to cifs.upcall.c. Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> commit 2333c502f81c66e186123e1b739a056fb049d5e4 Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Thu Feb 23 19:21:56 2017 -0500 replace.h: remove it Nothing uses it now. Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> commit 4850d321c3ec8f1b31b162fe8a316a7638c12b94 Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Thu Feb 23 19:09:12 2017 -0500 treewide: Eliminate SAFE_FREE It just frees and then zeroes out the pointer. That's of dubious value in the places where it's currently being used. Just use free() instead. Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> commit 891d7806ac153e7d99b324ed9a33ff92699a92c6 Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Thu Feb 23 19:14:07 2017 -0500 data_blob: Eliminate _PUBLIC_ It's defined to nothing anyway. Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> commit 2dcecd21262513a0866c321643fc33d3d0135915 Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Thu Feb 23 18:28:24 2017 -0500 cifs.upcall: unset $KRB5CCNAME when creating new credcache from keytab We don't want to trust $KRB5CCNAME when creating or updating a new credcache since we could be operating under the wrong credentials. Always create new credcaches in the default location instead. Reported-by: Chad William Seys <cwseys@xxxxxxxxxxxxxxxx> Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> commit 9eaa21ed37126d1bfcb998b4c8f6115ac77e9b5f Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Thu Feb 23 16:50:43 2017 -0500 cifs.upcall: don't do env scraping when uid is 0 Setuid programs triggering upcalls could trick the program here. Also, the d_automount method is done with credentials overridden so if you can end up with mismatched creds and env vars due to that as well. It's a hack, but the only recourse I can see is to avoid doing this when the uid is 0. That means we can't rely on finding root credcaches in alternate locations using $KRB5CCNAME, but I think that's the best we can do. Reported-and-Tested-by: Chad William Seys <cwseys@xxxxxxxxxxxxxxxx> Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> commit 69949ba0086ac7a4f07ade7558fbe5c537220ebb Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Fri Feb 24 10:48:57 2017 -0500 cifs.upcall: use a MEMORY: ccache when instantiating from a keytab Using a more permanent ccache is potentially problematic when we're instantiating a new one. We might be operating under different creds than expected. Just use a MEMORY: ccache since we don't need it to last longer than the life of the upcall anyway. Reported-and-Tested-by: Chad William Seys <cwseys@xxxxxxxxxxxxxxxx> Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> commit 8101a07871f185c7044fa2ca221b282ab4607c8b Author: Jeff Layton <jlayton@xxxxxxxxx> Date: Thu Mar 2 11:51:05 2017 -0500 cifs-utils: bump version to 6.7 Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx> -- Jeff Layton <jlayton@xxxxxxxxx>
Attachment:
signature.asc
Description: This is a digitally signed message part
