Simo Leone | 1 Jun 10:37 2009

[PATCH] cifs: Fix port overriding

Copy struct *after* setting the port, instead of before.

Signed-off-by: Simo Leone <simo <at> archlinux.org>
---
 fs/cifs/connect.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 0344b26..6462071 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
 <at>  <at>  -1506,14 +1506,14  <at>  <at>  cifs_get_tcp_session(struct smb_vol *volume_info)
 		cFYI(1, ("attempting ipv6 connect"));
 		/* BB should we allow ipv6 on port 139? */
 		/* other OS never observed in Wild doing 139 with v6 */
+		sin_server6->sin6_port = htons(volume_info->port);
 		memcpy(&tcp_ses->addr.sockAddr6, sin_server6,
 			sizeof(struct sockaddr_in6));
-		sin_server6->sin6_port = htons(volume_info->port);
 		rc = ipv6_connect(tcp_ses);
 	} else {
+		sin_server->sin_port = htons(volume_info->port);
 		memcpy(&tcp_ses->addr.sockAddr, sin_server,
 			sizeof(struct sockaddr_in));
-		sin_server->sin_port = htons(volume_info->port);
 		rc = ipv4_connect(tcp_ses);
 	}
 	if (rc < 0) {
--

-- 
1.6.3.1
(Continue reading)

Jeff Layton | 1 Jun 12:35 2009
Picon

Re: [PATCH] cifs: Fix port overriding

On Mon,  1 Jun 2009 01:37:50 -0700
Simo Leone <simo <at> archlinux.org> wrote:

> Copy struct *after* setting the port, instead of before.
> 
> Signed-off-by: Simo Leone <simo <at> archlinux.org>
> ---
>  fs/cifs/connect.c |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
> index 0344b26..6462071 100644
> --- a/fs/cifs/connect.c
> +++ b/fs/cifs/connect.c
>  <at>  <at>  -1506,14 +1506,14  <at>  <at>  cifs_get_tcp_session(struct smb_vol *volume_info)
>  		cFYI(1, ("attempting ipv6 connect"));
>  		/* BB should we allow ipv6 on port 139? */
>  		/* other OS never observed in Wild doing 139 with v6 */
> +		sin_server6->sin6_port = htons(volume_info->port);
>  		memcpy(&tcp_ses->addr.sockAddr6, sin_server6,
>  			sizeof(struct sockaddr_in6));
> -		sin_server6->sin6_port = htons(volume_info->port);
>  		rc = ipv6_connect(tcp_ses);
>  	} else {
> +		sin_server->sin_port = htons(volume_info->port);
>  		memcpy(&tcp_ses->addr.sockAddr, sin_server,
>  			sizeof(struct sockaddr_in));
> -		sin_server->sin_port = htons(volume_info->port);
>  		rc = ipv4_connect(tcp_ses);
>  	}
(Continue reading)

Jeff Layton | 2 Jun 12:56 2009
Picon

[PATCH] cifs: fix IPv6 address length check

For IPv6 the userspace mount helper sends an address in the "ip="
option.  This check fails if the length is > 35 characters. I have no
idea where the magic 35 character limit came from, but it's clearly not
enough for IPv6. Fix it by making it use the INET6_ADDRSTRLEN #define.

While we're at it, use the same #define for the address length in SPNEGO
upcalls.

Reported-by: Charles R. Anderson <cra <at> wpi.edu>
Signed-off-by: Jeff Layton <jlayton <at> redhat.com>
---
 fs/cifs/cifs_spnego.c |    6 ++----
 fs/cifs/connect.c     |    4 +++-
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/fs/cifs/cifs_spnego.c b/fs/cifs/cifs_spnego.c
index 67bf93a..4a4581c 100644
--- a/fs/cifs/cifs_spnego.c
+++ b/fs/cifs/cifs_spnego.c
 <at>  <at>  -23,6 +23,7  <at>  <at> 
 #include <linux/string.h>
 #include <keys/user-type.h>
 #include <linux/key-type.h>
+#include <linux/inet.h>
 #include "cifsglob.h"
 #include "cifs_spnego.h"
 #include "cifs_debug.h"
 <at>  <at>  -73,9 +74,6  <at>  <at>  struct key_type cifs_spnego_key_type = {
  * strlen(";sec=ntlmsspi") */
 #define MAX_MECH_STR_LEN	13
(Continue reading)

Jeff Layton | 2 Jun 15:58 2009
Picon

[PATCH] mount.cifs: properly check for mount being in fstab when running setuid root (try#2)

This is the second attempt to clean up the checks when a setuid
mount.cifs is run by an unprivileged user. The main difference in this
patch is that it adds some compile-time switches that give mount.cifs
the legacy behavior. The new behavior that gives mount.cifs the same
behavior as /bin/mount is the default.

When mount.cifs is installed setuid root and run as an unprivileged
user, it does some checks to limit how the mount is used. It checks that
the mountpoint is owned by the user doing the mount.

These checks however do not match those that /bin/mount does when it is
called by an unprivileged user. When /bin/mount is called by an
unprivileged user to do a mount, it checks that the mount in question is
in /etc/fstab, that it has the "user" option set, etc.

This means that it's currently not possible to set up user mounts the
standard way (by the admin, in /etc/fstab) and simultaneously protect
from an unprivileged user calling mount.cifs directly to mount a share
on any directory that that user owns.

Fix this by making the checks in mount.cifs match those of /bin/mount
itself. This is a necessary step to make mount.cifs safe to be installed
as a setuid binary, but not sufficient. For that, we'd need to give
mount.cifs a proper security audit.

Signed-off-by: Jeff Layton <jlayton <at> redhat.com>
---
 source3/client/mount.cifs.c |  199 ++++++++++++++++++++++++++++++++++---------
 1 files changed, 159 insertions(+), 40 deletions(-)

(Continue reading)

Steve French | 2 Jun 17:46 2009
Picon

Re: [PATCH] cifs: fix IPv6 address length check

merged

On Tue, Jun 2, 2009 at 5:56 AM, Jeff Layton <jlayton <at> redhat.com> wrote:
> For IPv6 the userspace mount helper sends an address in the "ip="
> option.  This check fails if the length is > 35 characters. I have no
> idea where the magic 35 character limit came from, but it's clearly not
> enough for IPv6. Fix it by making it use the INET6_ADDRSTRLEN #define.
>
> While we're at it, use the same #define for the address length in SPNEGO
> upcalls.

--

-- 
Thanks,

Steve
Steve French | 3 Jun 07:52 2009
Picon

Re: Documentation

On Wed, Jun 3, 2009 at 12:33 AM, Jonathan wrote:
> When I execute this:
>
> sudo mount -t cifs -o user=foo,pass=bar //zang/s$ /mnt/zangshare
>
> I get messages in dmesg:
>
> [344017.883572]  CIFS VFS: cifs_mount failed w/return code = -22

Looks like simply invalid parameter is returned presumably because the
share name
is reversed in order from the parameters (see "man mount.cifs" for
syntax).  Probably should be:

sudo mount -t cifs //zang/s$ /mnt/zangshare -o user=foo,pass=bar

> I cannot find any documentation anywhere that can tell me what -22
> means. Is it a CIFS C constant, a Linux kernel constant, or some POSIX
> exit code?

-22 is a posix error (EINVAL). Invalid parameter. Some Linux ship
utilities to display this
(the information you can get from strerror).   errno.h or errno-base.h
includes a more
complete list of errors.

Thanks,

Steve
(Continue reading)

Jeff Layton | 3 Jun 12:20 2009
Picon

Re: Re: Documentation

On Wed, 3 Jun 2009 00:52:45 -0500
Steve French <smfrench <at> gmail.com> wrote:

> On Wed, Jun 3, 2009 at 12:33 AM, Jonathan wrote:
> > When I execute this:
> >
> > sudo mount -t cifs -o user=foo,pass=bar //zang/s$ /mnt/zangshare
> >
> > I get messages in dmesg:
> >
> > [344017.883572]  CIFS VFS: cifs_mount failed w/return code = -22
> 
> Looks like simply invalid parameter is returned presumably because the
> share name
> is reversed in order from the parameters (see "man mount.cifs" for
> syntax).  Probably should be:
> 
> sudo mount -t cifs //zang/s$ /mnt/zangshare -o user=foo,pass=bar
> 

That shouldn't matter unless you're calling mount.cifs
directly. /bin/mount can handle this format. Also, if that were the case,
I wouldn't think that the mount helper would even get around to calling
mount().

> > I cannot find any documentation anywhere that can tell me what -22
> > means. Is it a CIFS C constant, a Linux kernel constant, or some POSIX
> > exit code?
> 
> -22 is a posix error (EINVAL). Invalid parameter. Some Linux ship
(Continue reading)

Jerry Litteer | 3 Jun 16:44 2009

mount error 126 = Required key not available

I have cifs mounting working on a Ubuntu system.  When I try to transfer
the environment/capability to Centos
I get mount error 126 = Required key not available.

>From what I can tell I have every thing configured correctly.  When I
try to use Google, I see alot  of  reports of the issue, but I have yet
to see any suggestions for resolving the issue.

Here is the information from the Centos system that is failing...
Script started on Wed 03 Jun 2009 07:54:29 AM MDT
gll <at> vastest1: whatami.sh
    CentOS release 5.3 (Final)
    System information gathered:
    HOSTNAME        = vastest1
    Kernel          = 2.6.18-128.1.6.el5
    HOST_OS_NAME    = Linux
    HOST_OS_VERSION = 5.3
    HOST_HARDWARE   = x86_64
gll <at> vastest1: env | grep KRB
KRB5_CONFIG=/etc/krb5.conf
KRB5CCNAME=/tmp/krb5cc_118
-rw------- 1 gll gll 2525 Jun  3 08:08 /tmp/krb5cc_118

gll <at> vastest1: ~]$/sbin/mount.cifs //fs1/home3/gll /home/gll/J: -v -o
sec=krb5,user=gll <at> inel.gov,noauto,soft
parsing options: sec=krb5,user=gll <at> inel.gov,noauto,soft

mount.cifs kernel mount options
unc=//fs1\home3,ip=134.20.19.122,ver=1,sec=krb5,user=gll <at> inel.gov,noauto,soft,uid=118,gid=118,prefixpath=gll

(Continue reading)

Jeff Layton | 3 Jun 17:25 2009
Picon

Re: mount error 126 = Required key not available

On Wed, 03 Jun 2009 08:44:36 -0600
Jerry Litteer <gerald.litteer <at> inl.gov> wrote:

> I have cifs mounting working on a Ubuntu system.  When I try to transfer
> the environment/capability to Centos
> I get mount error 126 = Required key not available.
> 
> >From what I can tell I have every thing configured correctly.  When I
> try to use Google, I see alot  of  reports of the issue, but I have yet
> to see any suggestions for resolving the issue.
> 
> Here is the information from the Centos system that is failing...
> Script started on Wed 03 Jun 2009 07:54:29 AM MDT
> gll <at> vastest1: whatami.sh
>     CentOS release 5.3 (Final)
>     System information gathered:
>     HOSTNAME        = vastest1
>     Kernel          = 2.6.18-128.1.6.el5
>     HOST_OS_NAME    = Linux
>     HOST_OS_VERSION = 5.3
>     HOST_HARDWARE   = x86_64
> gll <at> vastest1: env | grep KRB
> KRB5_CONFIG=/etc/krb5.conf
> KRB5CCNAME=/tmp/krb5cc_118
> -rw------- 1 gll gll 2525 Jun  3 08:08 /tmp/krb5cc_118
> 
> gll <at> vastest1: ~]$/sbin/mount.cifs //fs1/home3/gll /home/gll/J: -v -o
> sec=krb5,user=gll <at> inel.gov,noauto,soft
> parsing options: sec=krb5,user=gll <at> inel.gov,noauto,soft
> 
(Continue reading)

Thomas Anglmaier | 4 Jun 13:26 2009
Picon

Fwd: cifsd killed on wrong pwd

hi list,

we face a problem on several linux systems where multiple users mount cifs shares from a unique server.
the cifs-documentation says that a single thread (cifsd) is started for each unique server and it seems
that cifsd is getting killed if a users tries to mount and gives wrong password. even if there are existing
mounts from that server.

here is what happens:

 
root <at> tofo2 ~]# df -ha
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda1             7.6G  4.8G  2.5G  67% /
proc                     0     0     0   -  /proc
sysfs                    0     0     0   -  /sys
devpts                   0     0     0   -  /dev/pts
tmpfs                 125M     0  125M   0% /dev/shm
none                     0     0     0   -  /proc/sys/fs/binfmt_misc
sunrpc                   0     0     0   -  /var/lib/nfs/rpc_pipefs

[root <at> tofo2 ~]# echo 1 > /proc/fs/cifs/MultiuserMount 
[root <at> tofo2 ~]# dmesg
[root <at> tofo2 ~]#  mount -t cifs -o user=tom //tofo1/home1 /mnt/1
Password: 

[root <at> tofo2 ~]# df -ha
Filesystem            Size  Used Avail Use% Mounted on
/dev/sda1             7.6G  4.8G  2.5G  67% /
proc                     0     0     0   -  /proc
sysfs                    0     0     0   -  /sys
(Continue reading)


Gmane