From patchwork Fri Apr 2 20:04:09 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Layton X-Patchwork-Id: 49324 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from lists.samba.org (fn.samba.org [216.83.154.106]) by ozlabs.org (Postfix) with ESMTP id 4065FB7CF4 for ; Sat, 3 Apr 2010 07:04:02 +1100 (EST) Received: from fn.samba.org (localhost [127.0.0.1]) by lists.samba.org (Postfix) with ESMTP id B596CAD186; Fri, 2 Apr 2010 14:04:02 -0600 (MDT) X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on fn.samba.org X-Spam-Level: X-Spam-Status: No, score=-1.4 required=3.8 tests=AWL, BAYES_00, NO_MORE_FUNN, SPF_NEUTRAL autolearn=no version=3.2.5 X-Original-To: linux-cifs-client@lists.samba.org Delivered-To: linux-cifs-client@lists.samba.org Received: from cdptpa-omtalb.mail.rr.com (cdptpa-omtalb.mail.rr.com [75.180.132.122]) by lists.samba.org (Postfix) with ESMTP id B4A50AD13E for ; Fri, 2 Apr 2010 14:03:57 -0600 (MDT) X-Authority-Analysis: v=1.1 cv=BcrMeMh1FZ8f+Yn0DMFpCYxUD07jTIHG6/eaijgkUbY= c=1 sm=0 a=P96m9WPjCnwA:10 a=ld/erqUjW76FpBUqCqkKeA==:17 a=hGzw-44bAAAA:8 a=pGLkceISAAAA:8 a=olhgEustWIvW8WPkD5oA:9 a=vQ_QJNSgLucDGdAAMp7v0J68nMsA:4 a=CjuIK1q_8ugA:10 a=dowx1zmaLagA:10 a=MSl-tDqOz04A:10 a=ym9UojL_0SS-icHJeiIA:9 a=uYY54KDbwwiyOBI_wfwA:7 a=vre5Xs0uyOLZoG0_owd_5GLyQKkA:4 a=ld/erqUjW76FpBUqCqkKeA==:117 X-Cloudmark-Score: 0 X-Originating-IP: 71.70.153.3 Received: from [71.70.153.3] ([71.70.153.3:46609] helo=mail.poochiereds.net) by cdptpa-oedge04.mail.rr.com (envelope-from ) (ecelerity 2.2.2.39 r()) with ESMTP id FE/94-28131-BAD46BB4; Fri, 02 Apr 2010 20:03:55 +0000 Received: from corrin.poochiereds.net (corrin.poochiereds.net [192.168.1.69]) by mail.poochiereds.net (Postfix) with ESMTPS id 4246358062; Fri, 2 Apr 2010 16:03:55 -0400 (EDT) Date: Fri, 2 Apr 2010 16:04:09 -0400 From: Jeff Layton To: Jeff Layton Message-ID: <20100402160409.705798cf@corrin.poochiereds.net> In-Reply-To: <20100402151212.3a7957bb@tlielax.poochiereds.net> References: <20100402151212.3a7957bb@tlielax.poochiereds.net> X-Mailer: Claws Mail 3.7.5 (GTK+ 2.20.0; x86_64-redhat-linux-gnu) Mime-Version: 1.0 Cc: linux-cifs-client@lists.samba.org Subject: Re: [linux-cifs-client] Error's opening credentials file. X-BeenThere: linux-cifs-client@lists.samba.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: The Linux CIFS VFS client List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-cifs-client-bounces@lists.samba.org Errors-To: linux-cifs-client-bounces@lists.samba.org On Fri, 2 Apr 2010 15:12:12 -0400 Jeff Layton wrote: > On Fri, 2 Apr 2010 17:11:20 +0200 > Stef Bon wrote: > > > Hello, > > > > I'm using a construction to make resources (local and remote) on a > > userfriendly manner available in map in the users > > home directory. These resources are USB devices (local) and FTP and > > SSH hosts, and SMB shares. > > > > For mounting the construction is using the autofs automounter for Linux. > > It's running with root permissions. > > > > To mount SMB shares of course mount.cifs is used, and a personalized > > credentialsfile. So the mountcommand looks like: > > > > mount.cifs "//$SMM_name/$SMB_share" $mount_directory -o > > ip=$SMB_ip,credentialsfile=/home/sbon/.smb/mount.cred > > > > Now with the latest version of cifs.utils 4.2, it does not mount. The > > error it gives is: > > > > error -1 (Unknown error 4294967295) opening credential file > > /home/sbon/.smb/mount.cred > > > > Now after some trying, when I put the credential file in a subdir of > > root's home, it's ok: > > > > mv /home/sbon/.smb/mount.cred /root/.smb > > > > and I adjust the config of my construction to look for this > > credentialfile, everything works again. > > > > The permissions of the cred file is not changed! Apparently the > > mount.cifs command also looks at the > > directories above it (parents). > > > > Now checking the code the function that reads the cred file is > > open_cred_file, which uses the access call to check access. > > Obviously that function checks the permissions of all the parent dirs, > > and sees that the user root has not enough permissions, which is not > > true. > > > > IT's not such a big problem, I've got it working again, but it should > > be documented. > > > > Stef > > What was the last version on which this worked? Are you mount.cifs as a > setuid root program? Is mount.cifs linked against libcap? > Does the attached patch fix the problem? From d652b86adc7e9c62ba71b315e91fdd24af0063d8 Mon Sep 17 00:00:00 2001 From: Jeff Layton Date: Fri, 2 Apr 2010 16:02:37 -0400 Subject: [PATCH] mount.cifs: if real uid is 0, child must keep CAP_DAC_OVERRIDE ...otherwise, root may not be able to read credential files. The ideal thing would be to remove it from the effective set, and only turn it on when needed, but for now this should fix the immediate problem. Signed-off-by: Jeff Layton --- mount.cifs.c | 17 ++++++++++------- 1 files changed, 10 insertions(+), 7 deletions(-) diff --git a/mount.cifs.c b/mount.cifs.c index ab155e3..7d1fa83 100644 --- a/mount.cifs.c +++ b/mount.cifs.c @@ -1150,7 +1150,7 @@ add_mtab_exit: static int drop_capabilities(int parent) { - int rc = 0; + int rc = 0, ncap; cap_t caps; cap_value_t cap_list[2]; @@ -1168,17 +1168,20 @@ drop_capabilities(int parent) goto free_caps; } - /* parent needs to keep some capabilities */ - if (parent) { - cap_list[0] = CAP_SYS_ADMIN; - cap_list[1] = CAP_DAC_OVERRIDE; - if (cap_set_flag(caps, CAP_PERMITTED, 2, cap_list, CAP_SET) == -1) { + if (parent || getuid() == 0) { + ncap = 1; + cap_list[0] = CAP_DAC_OVERRIDE; + if (parent) { + cap_list[1] = CAP_SYS_ADMIN; + ++ncap; + } + if (cap_set_flag(caps, CAP_PERMITTED, ncap, cap_list, CAP_SET) == -1) { fprintf(stderr, "Unable to set permitted capabilities: %s\n", strerror(errno)); rc = EX_SYSERR; goto free_caps; } - if (cap_set_flag(caps, CAP_EFFECTIVE, 2, cap_list, CAP_SET) == -1) { + if (cap_set_flag(caps, CAP_EFFECTIVE, ncap, cap_list, CAP_SET) == -1) { fprintf(stderr, "Unable to set effective capabilities: %s\n", strerror(errno)); rc = EX_SYSERR; -- 1.6.6.1