From patchwork Fri Mar 26 14:25:40 2010
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jeff Layton <jlayton@samba.org>
X-Patchwork-Id: 48649
Return-Path: <linux-cifs-client-bounces@lists.samba.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from lists.samba.org (fn.samba.org [216.83.154.106])
	by ozlabs.org (Postfix) with ESMTP id 6B80EB7C09
	for <incoming@patchwork.ozlabs.org>;
	Sat, 27 Mar 2010 01:26:28 +1100 (EST)
Received: from fn.samba.org (localhost [127.0.0.1])
	by lists.samba.org (Postfix) with ESMTP id 5BDA84665C;
	Fri, 26 Mar 2010 08:26:28 -0600 (MDT)
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on fn.samba.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.9 required=3.8 tests=AWL, BAYES_00,
	RCVD_IN_DNSWL_HI,
	SPF_HELO_PASS,SPF_NEUTRAL autolearn=ham version=3.2.5
X-Original-To: linux-cifs-client@lists.samba.org
Delivered-To: linux-cifs-client@lists.samba.org
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28])
	by lists.samba.org (Postfix) with ESMTP id 702B64666C
	for <linux-cifs-client@lists.samba.org>;
	Fri, 26 Mar 2010 08:25:52 -0600 (MDT)
Received: from int-mx05.intmail.prod.int.phx2.redhat.com
	(int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.18])
	by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id o2QEPp50006040
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <linux-cifs-client@lists.samba.org>;
	Fri, 26 Mar 2010 10:25:51 -0400
Received: from localhost.localdomain (vpn-10-105.rdu.redhat.com
	[10.11.10.105])
	by int-mx05.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with
	ESMTP id o2QEPdCm026868 for <linux-cifs-client@lists.samba.org>;
	Fri, 26 Mar 2010 10:25:51 -0400
From: Jeff Layton <jlayton@samba.org>
To: linux-cifs-client@lists.samba.org
Date: Fri, 26 Mar 2010 10:25:40 -0400
Message-Id: <1269613542-6402-18-git-send-email-jlayton@samba.org>
In-Reply-To: <1269613542-6402-1-git-send-email-jlayton@samba.org>
References: <1269613542-6402-1-git-send-email-jlayton@samba.org>
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.18
Subject: [linux-cifs-client] [PATCH 17/19] mount.cifs: guard against signals
	by unprivileged users
X-BeenThere: linux-cifs-client@lists.samba.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: The Linux CIFS VFS client <linux-cifs-client.lists.samba.org>
List-Unsubscribe: <https://lists.samba.org/mailman/options/linux-cifs-client>,
	<mailto:linux-cifs-client-request@lists.samba.org?subject=unsubscribe>
List-Archive: <http://lists.samba.org/pipermail/linux-cifs-client>
List-Post: <mailto:linux-cifs-client@lists.samba.org>
List-Help: <mailto:linux-cifs-client-request@lists.samba.org?subject=help>
List-Subscribe: <https://lists.samba.org/mailman/listinfo/linux-cifs-client>,
	<mailto:linux-cifs-client-request@lists.samba.org?subject=subscribe>
MIME-Version: 1.0
Sender: linux-cifs-client-bounces@lists.samba.org
Errors-To: linux-cifs-client-bounces@lists.samba.org

From: Jeff Layton <jlayton@redhat.com>

If mount.cifs is setuid root, then the unprivileged user who runs the
program can send the mount.cifs process a signal and kill it. This is
not a huge problem unless we happen to be updating the mtab at the
time, in which case the mtab lockfiles might not get cleaned up.

To remedy this, have the privileged mount.cifs process set its real
uid to the effective uid (usually, root). This prevents unprivileged
users from being able to signal the process.

While we're at it, also mask off signals while we're updating the
mtab. This leaves a SIGKILL by root as the only way to interrupt the
mtab update, but there's really nothing we can do about that.

Signed-off-by: Jeff Layton <jlayton@redhat.com>
---
 mount.cifs.c |   42 +++++++++++++++++++++++++++++++++++-------
 1 files changed, 35 insertions(+), 7 deletions(-)

diff --git a/mount.cifs.c b/mount.cifs.c
index f4aea01..e292e40 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -267,10 +267,10 @@ static int set_password(struct parsed_mount_info *parsed_info, const char *src)
 }
 
 /* caller frees username if necessary */
-static char *getusername(void)
+static char *getusername(uid_t uid)
 {
 	char *username = NULL;
-	struct passwd *password = getpwuid(getuid());
+	struct passwd *password = getpwuid(uid);
 
 	if (password)
 		username = password->pw_name;
@@ -1051,13 +1051,26 @@ static int check_mtab(const char *progname, const char *devname,
 }
 
 static int
-add_mtab(char *devname, char *mountpoint, unsigned long flags)
+add_mtab(char *devname, char *mountpoint, unsigned long flags, uid_t uid)
 {
 	int rc = 0;
 	char *mount_user;
 	struct mntent mountent;
 	FILE *pmntfile;
+	sigset_t mask, oldmask;
 
+	rc = sigfillset(&mask);
+	if (rc) {
+		fprintf(stderr, "Unable to set filled signal mask\n");
+		return EX_FILEIO;
+	}
+
+	rc = sigprocmask(SIG_SETMASK, &mask, &oldmask);
+	if (rc) {
+		fprintf(stderr, "Unable to make process ignore signals\n");
+		return EX_FILEIO;
+	}
+	
 	atexit(unlock_mtab);
 	rc = lock_mtab();
 	if (rc) {
@@ -1094,9 +1107,9 @@ add_mtab(char *devname, char *mountpoint, unsigned long flags)
 			strlcat(mountent.mnt_opts, ",nodev", MTAB_OPTIONS_LEN);
 		if (flags & MS_SYNCHRONOUS)
 			strlcat(mountent.mnt_opts, ",sync", MTAB_OPTIONS_LEN);
-		if (getuid() != 0) {
+		if (uid != 0) {
 			strlcat(mountent.mnt_opts, ",user=", MTAB_OPTIONS_LEN);
-			mount_user = getusername();
+			mount_user = getusername(uid);
 			if (mount_user)
 				strlcat(mountent.mnt_opts, mount_user,
 					MTAB_OPTIONS_LEN);
@@ -1109,6 +1122,7 @@ add_mtab(char *devname, char *mountpoint, unsigned long flags)
 	unlock_mtab();
 	SAFE_FREE(mountent.mnt_opts);
 add_mtab_exit:
+	sigprocmask(SIG_SETMASK, &oldmask, NULL);
 	if (rc) {
 		fprintf(stderr, "unable to add mount entry to mtab\n");
 		rc = EX_FILEIO;
@@ -1204,7 +1218,7 @@ assemble_mountinfo(struct parsed_mount_info *parsed_info,
 			strlcpy(parsed_info->username, getenv("USER"),
 				sizeof(parsed_info->username));
 		else
-			strlcpy(parsed_info->username, getusername(),
+			strlcpy(parsed_info->username, getusername(getuid()),
 				sizeof(parsed_info->username));
 		parsed_info->got_user = 1;
 	}
@@ -1259,6 +1273,7 @@ int main(int argc, char **argv)
 	size_t dev_len;
 	struct parsed_mount_info *parsed_info = NULL;
 	pid_t pid;
+	uid_t uid;
 
 	if (check_setuid())
 		return EX_USAGE;
@@ -1390,6 +1405,19 @@ int main(int argc, char **argv)
 			goto mount_exit;
 	}
 
+	/*
+	 * Set the real uid to the effective uid. This prevents unprivileged
+	 * users from sending signals to this process, though ^c on controlling
+	 * terminal should still work.
+	 */
+	uid = getuid();
+	rc = setreuid(geteuid(), -1);
+	if (rc != 0) {
+		fprintf(stderr, "Unable to set real uid to effective uid: %s\n",
+				strerror(errno));
+		rc = EX_USAGE;
+	}
+
 	options = calloc(options_size, 1);
 	if (!options) {
 		fprintf(stderr, "Unable to allocate memory.\n");
@@ -1500,7 +1528,7 @@ mount_retry:
 	}
 
 	if (!parsed_info->nomtab)
-		rc = add_mtab(dev_name, mountpoint, parsed_info->flags);
+		rc = add_mtab(dev_name, mountpoint, parsed_info->flags, uid);
 
 mount_exit:
 	if (parsed_info) {