lp:cifs-utils

Created by Jelmer Vernooij and last modified
Get this branch:
bzr branch lp:cifs-utils

Related bugs

Related blueprints

Branch information

Owner:
Samba Team
Project:
cifs-utils
Status:
Development

Import details

Import Status: Reviewed

This branch is an import of the HEAD branch of the Git repository at git://git.samba.org/cifs-utils.git.

The next import is scheduled to run .

Last successful import was .

Import started on juju-1e3bde-prod-lp-code-import-14 and finished taking 10 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-13 and finished taking 10 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-12 and finished taking 5 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-12 and finished taking 10 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-12 and finished taking 10 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-17 and finished taking 10 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-17 and finished taking 10 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-16 and finished taking 5 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-16 and finished taking 5 seconds — see the log
Import started on juju-1e3bde-prod-lp-code-import-16 and finished taking 10 seconds — see the log

Recent revisions

551. By Pavel Shilovsky <email address hidden>

cifs-utils: bump version to 6.14

Signed-off-by: Pavel Shilovsky <email address hidden>

550. By Pavel Shilovsky <email address hidden>

setcifsacl: fix formatting

Signed-off-by: Pavel Shilovsky <email address hidden>

549. By Aurelien Aptel <email address hidden>

smbinfo: add support for new key dump ioctl

* try new one first, fall back on old one otherwise => retrocompatible
* use better cipher descriptions

Signed-off-by: Aurelien Aptel <email address hidden>

548. By Paulo Alcantara <email address hidden>

mount.cifs: fix crash when mount point does not exist

@mountpointp is initially set to a statically allocated string in
main(), and if we fail to update it in acquire_mountpoint(), make sure
to set it to NULL and avoid freeing it at mount_exit.

This fixes the following crash

 $ mount.cifs //srv/share /mnt/foo/bar -o ...
 Couldn't chdir to /mnt/foo/bar: No such file or directory
 munmap_chunk(): invalid pointer
 Aborted

Signed-off-by: Paulo Alcantara (SUSE) <email address hidden>
Reviewed-by: Aurelien Aptel <email address hidden>

547. By Aurelien Aptel <email address hidden>

cifs.upcall: fix regression in kerberos mount

The fix for CVE-2021-20208 in commit e461afd ("cifs.upcall: try to use
container ipc/uts/net/pid/mnt/user namespaces") introduced a
regression for kerberos mounts when cifs-utils is built with
libcap-ng. It makes mount fail with ENOKEY "Required key not
available".

Current state:

mount.cifs
 '---> mount() ---> kernel
                   negprot, session setup (need security blob for krb)
                   request_key("cifs.spnego", payload="pid=%d;username=...")
                               upcall
  /sbin/request-key <--------------'
   reads /etc/request-keys.conf
   dispatch cifs.spnego request
   calls /usr/sbin/cifs.upcall <key id>
   - drop privileges (capabilities)
   - fetch keyid
   - parse payload
   - switch to mount.cifs namespaces
   - call krb5_xxx() funcs
   - generate security blob
   - set key value to security blob
      '-----------------------------------> kernel
                                         put blob in session setup packet
             continue auth
             open tcon
             get share root
             setup superblock
mount.cifs mount() returns <-----------'

By the time cifs.upcall tries to switch to namespaces, enough
capabilities have dropped in trim_capabilities() that it makes setns()
fail with EPERM.

setns() requires CAP_SYS_ADMIN.

With libcap trim_capabilities() is a no-op.

This fix:

- moves the namespace switch earlier so that operations like
  setgroups(), setgid(), scanning of pid environment, ... happens in the
  contained namespaces.
- moves trim_capabilities() after the namespace switch
- moves the string processing to decode the key request payload in a
  child process with minimum capabilities. the decoded data is shared
  with the parent process via shared memory obtained with mmap().

Fixes: e461afd ("cifs.upcall: try to use container ipc/uts/net/pid/mnt/user namespaces")
Signed-off-by: Aurelien Aptel <email address hidden>

546. By Juan Pablo González <email address hidden>

smbinfo: Add command for displaying alternate data streams

This patch adds a new command to smbinfo which retrieves and displays
the list of alternate data streams for a file.

Signed-off-by: Juan Pablo González <email address hidden>
Reviewed-by: Aurelien Aptel <email address hidden>

545. By Rohith Surabattula <email address hidden>

Reorder ACEs in preferred order during setcifsacl

Have added new option "-A" in setcifsacl utility to reorder ACEs in
preferred order.

544. By Pavel Shilovsky

cifs-utils: bump version to 6.13

Signed-off-by: Pavel Shilovsky <email address hidden>

543. By Alastair Houghton

cifs.upcall: try to use container ipc/uts/net/pid/mnt/user namespaces

In certain scenarios (e.g. kerberos multimount), when a process does
syscalls, the kernel sometimes has to query information or trigger
some actions in userspace. To do so it calls the cifs.upcall binary
with information on the process that triggered the syscall in the
first place.

ls(pid=10) ====> open("foo") ====> kernel

                                   that user doesn't have an SMB
                                   session, lets create one using his
                                   kerberos credential cache

                                   call cifs.upcall and ask for krb info
                                   for whoever owns pid=10
                                                         |
                  cifs.upcall --pid 10 <=================+

               ...gather info...
                  return binary blob used
                  when establishing SMB session
                        ===================> kernel
                                              open SMB session, handle
                                              open() syscall
ls <=================================== return open() result to ls

On a system using containers, the kernel is still calling the host
cifs.upcall and using the host configuration (for network, pid, etc).

This patch changes the behaviour of cifs.upcall so that it uses the
calling process namespaces (ls in the example) when doing its
job.

Note that the kernel still calls the binary in the host, but the
binary will place itself the contexts of the calling process
namespaces.

This code makes use of (but shouldn't require) the following kernel
config options and syscall flags:

approx. year |
introduced | config/flags
---------------+----------------
2008 | CONFIG_NAMESPACES=y
2007 | CONFIG_UTS_NS=y
2020 | CONFIG_TIME_NS=y
2006 | CONFIG_IPC_NS=y
2007 | CONFIG_USER_NS
2008 | CONFIG_PID_NS=y
2007 | CONFIG_NET_NS=y
2007 | CONFIG_CGROUPS
2016 | CLONE_NEWCGROUP setns() flag

Signed-off-by: Aurelien Aptel <email address hidden>
Signed-off-by: Alastair Houghton <email address hidden>

542. By Pavel Shilovsky

cifs-utils: bump version to 6.12

Signed-off-by: Pavel Shilovsky <email address hidden>

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
This branch contains Public information 
Everyone can see this information.

Subscribers