From 8650af544c0e0f8c76b688ad85254e4d489ae5a9 Mon Sep 17 00:00:00 2001 From: Sachin Prabhu Date: Tue, 6 May 2014 12:46:12 +0100 Subject: [PATCH] Update to latest upstream patches - autoconf: allow PAM security install directory to be configurable - cifs: use krb5_kt_default() to determine default keytab location - cifskey: better use snprintf() - cifscreds: better error handling when key_search fails - cifscreds: better error handling for key_add Signed-off-by: Sachin Prabhu --- ...AM-security-install-directory-to-be-.patch | 47 ++++++++ ..._default-to-determine-default-keytab.patch | 56 ++++++++++ 0003-cifskey-better-use-snprintf.patch | 49 +++++++++ ...-error-handling-when-key_search-fail.patch | 85 +++++++++++++++ ...ds-better-error-handling-for-key_add.patch | 102 ++++++++++++++++++ cifs-utils.spec | 19 +++- 6 files changed, 357 insertions(+), 1 deletion(-) create mode 100644 0001-autoconf-allow-PAM-security-install-directory-to-be-.patch create mode 100644 0002-cifs-use-krb5_kt_default-to-determine-default-keytab.patch create mode 100644 0003-cifskey-better-use-snprintf.patch create mode 100644 0004-cifscreds-better-error-handling-when-key_search-fail.patch create mode 100644 0005-cifscreds-better-error-handling-for-key_add.patch diff --git a/0001-autoconf-allow-PAM-security-install-directory-to-be-.patch b/0001-autoconf-allow-PAM-security-install-directory-to-be-.patch new file mode 100644 index 0000000..0c09626 --- /dev/null +++ b/0001-autoconf-allow-PAM-security-install-directory-to-be-.patch @@ -0,0 +1,47 @@ +From 00a1cee869fce5b6aa79683da19a2529c2cfd690 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Lars=20M=C3=BCller?= +Date: Mon, 7 Apr 2014 14:35:10 -0400 +Subject: [PATCH] autoconf: allow PAM security install directory to be + configurable + +Allow the pam module install directory to be set at build time. + +Signed-off-by: Jeff Layton +--- + Makefile.am | 2 -- + configure.ac | 6 ++++++ + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index a3fb413..92da8b1 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -92,8 +92,6 @@ idmapwb.8: idmapwb.8.in + endif + + if CONFIG_PAM +-pamdir = $(libdir)/security +- + pam_PROGRAMS = pam_cifscreds.so + + pam_cifscreds.so: pam_cifscreds.c cifskey.c resolve_host.c util.c +diff --git a/configure.ac b/configure.ac +index 6cd8558..43aa55c 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -58,6 +58,12 @@ AC_ARG_WITH(idmap-plugin, + AC_DEFINE_UNQUOTED(IDMAP_PLUGIN_PATH, "$pluginpath", [Location of plugin that ID mapping infrastructure should use. (usually a symlink to real plugin)]) + AC_SUBST([pluginpath]) + ++AC_ARG_WITH(pamdir, ++ [AC_HELP_STRING([--with-pamdir=DIR],[Where to install the PAM module @<:@default=$(libdir)/security@:>@])], ++ pamdir=$withval, ++ pamdir="\$(libdir)/security") ++AC_SUBST([pamdir]) ++ + # check for ROOTSBINDIR environment var + if test -z $ROOTSBINDIR; then + ROOTSBINDIR="/sbin" +-- +1.8.4.2 + diff --git a/0002-cifs-use-krb5_kt_default-to-determine-default-keytab.patch b/0002-cifs-use-krb5_kt_default-to-determine-default-keytab.patch new file mode 100644 index 0000000..6f683d5 --- /dev/null +++ b/0002-cifs-use-krb5_kt_default-to-determine-default-keytab.patch @@ -0,0 +1,56 @@ +From a016e18969d10e3c777f35fe21b1c1f8c1d70880 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Mon, 7 Apr 2014 14:35:17 -0400 +Subject: [PATCH] cifs: use krb5_kt_default() to determine default keytab + location + +...don't assume that it's in /etc/krb5.keytab. + +Reported-by: Konstantin Lepikhov +Signed-off-by: Jeff Layton +--- + cifs.upcall.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/cifs.upcall.c b/cifs.upcall.c +index cc65824..e8544c2 100644 +--- a/cifs.upcall.c ++++ b/cifs.upcall.c +@@ -55,7 +55,6 @@ + #define CIFS_DEFAULT_KRB5_DIR "/tmp" + #define CIFS_DEFAULT_KRB5_USER_DIR "/run/user/%U" + #define CIFS_DEFAULT_KRB5_PREFIX "krb5cc" +-#define CIFS_DEFAULT_KRB5_KEYTAB "/etc/krb5.keytab" + + #define MAX_CCNAME_LEN PATH_MAX + 5 + +@@ -205,9 +204,15 @@ init_cc_from_keytab(const char *keytab_name, const char *user) + goto icfk_cleanup; + } + +- ret = krb5_kt_resolve(context, keytab_name, &keytab); ++ if (keytab_name) ++ ret = krb5_kt_resolve(context, keytab_name, &keytab); ++ else ++ ret = krb5_kt_default(context, &keytab); ++ + if (ret) { +- syslog(LOG_DEBUG, "krb5_kt_resolve: %d", (int)ret); ++ syslog(LOG_DEBUG, "%s: %d", ++ keytab_name ? "krb5_kt_resolve" : "krb5_kt_default", ++ (int)ret); + goto icfk_cleanup; + } + +@@ -841,7 +846,7 @@ int main(const int argc, char *const argv[]) + struct decoded_args arg; + const char *oid; + uid_t uid; +- char *keytab_name = CIFS_DEFAULT_KRB5_KEYTAB; ++ char *keytab_name = NULL; + time_t best_time = 0; + + hostbuf[0] = '\0'; +-- +1.8.4.2 + diff --git a/0003-cifskey-better-use-snprintf.patch b/0003-cifskey-better-use-snprintf.patch new file mode 100644 index 0000000..bea3603 --- /dev/null +++ b/0003-cifskey-better-use-snprintf.patch @@ -0,0 +1,49 @@ +From 0c521d5060035da655107001374e08873ac5dde8 Mon Sep 17 00:00:00 2001 +From: Sebastian Krahmer +Date: Mon, 14 Apr 2014 11:39:41 +0200 +Subject: [PATCH] cifskey: better use snprintf() + +Prefer snprintf() over sprintf() in cifskey.c +Projects that fork the code (pam_cifscreds) can't rely on +the max-size parameters. + +[jlayton: removed unneeded initialization of "len" in key_add] + +Signed-off-by: Sebastian Krahmer +--- + cifskey.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/cifskey.c b/cifskey.c +index 7716c42..e89cacf 100644 +--- a/cifskey.c ++++ b/cifskey.c +@@ -29,7 +29,8 @@ key_search(const char *addr, char keytype) + { + char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4]; + +- sprintf(desc, "%s:%c:%s", KEY_PREFIX, keytype, addr); ++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) ++ return -1; + + return keyctl_search(DEST_KEYRING, CIFS_KEY_TYPE, desc, 0); + } +@@ -43,10 +44,13 @@ key_add(const char *addr, const char *user, const char *pass, char keytype) + char val[MOUNT_PASSWD_SIZE + MAX_USERNAME_SIZE + 2]; + + /* set key description */ +- sprintf(desc, "%s:%c:%s", KEY_PREFIX, keytype, addr); ++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) ++ return -1; + + /* set payload contents */ +- len = sprintf(val, "%s:%s", user, pass); ++ len = snprintf(val, sizeof(val), "%s:%s", user, pass); ++ if (len >= (int)sizeof(val)) ++ return -1; + + return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING); + } +-- +1.8.4.2 + diff --git a/0004-cifscreds-better-error-handling-when-key_search-fail.patch b/0004-cifscreds-better-error-handling-when-key_search-fail.patch new file mode 100644 index 0000000..cf57eea --- /dev/null +++ b/0004-cifscreds-better-error-handling-when-key_search-fail.patch @@ -0,0 +1,85 @@ +From 3da4c43b575498be86c87a2ac3f3142e3cab1c59 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Sun, 20 Apr 2014 20:41:05 -0400 +Subject: [PATCH] cifscreds: better error handling when key_search fails + +If we ended up getting a bogus string that would have overflowed, then +make key_search set errno to EINVAL before returning. The callers can +then test to see if the returned error is what was expected or something +else and handle it appropriately. + +Cc: Sebastian Krahmer +Signed-off-by: Jeff Layton +--- + cifscreds.c | 9 +++++++++ + cifskey.c | 5 ++++- + pam_cifscreds.c | 9 +++++++++ + 3 files changed, 22 insertions(+), 1 deletion(-) + +diff --git a/cifscreds.c b/cifscreds.c +index fa05dc8..64d55b0 100644 +--- a/cifscreds.c ++++ b/cifscreds.c +@@ -188,6 +188,15 @@ static int cifscreds_add(struct cmdarg *arg) + return EXIT_FAILURE; + } + ++ switch(errno) { ++ case ENOKEY: ++ /* success */ ++ break; ++ default: ++ printf("Key search failed: %s\n", strerror(errno)); ++ return EXIT_FAILURE; ++ } ++ + currentaddress = nextaddress; + if (currentaddress) { + *(currentaddress - 1) = ','; +diff --git a/cifskey.c b/cifskey.c +index e89cacf..4f01ed0 100644 +--- a/cifskey.c ++++ b/cifskey.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include "cifskey.h" + #include "resolve_host.h" + +@@ -29,8 +30,10 @@ key_search(const char *addr, char keytype) + { + char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4]; + +- if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) ++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) { ++ errno = EINVAL; + return -1; ++ } + + return keyctl_search(DEST_KEYRING, CIFS_KEY_TYPE, desc, 0); + } +diff --git a/pam_cifscreds.c b/pam_cifscreds.c +index e0d8a55..fb23117 100644 +--- a/pam_cifscreds.c ++++ b/pam_cifscreds.c +@@ -206,6 +206,15 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas + return PAM_SERVICE_ERR; + } + ++ switch(errno) { ++ case ENOKEY: ++ break; ++ default: ++ pam_syslog(ph, LOG_ERR, "Unable to search keyring for %s (%s)", ++ currentaddress, strerror(errno)); ++ return PAM_SERVICE_ERR; ++ } ++ + currentaddress = nextaddress; + if (currentaddress) { + *(currentaddress - 1) = ','; +-- +1.8.4.2 + diff --git a/0005-cifscreds-better-error-handling-for-key_add.patch b/0005-cifscreds-better-error-handling-for-key_add.patch new file mode 100644 index 0000000..3baedd6 --- /dev/null +++ b/0005-cifscreds-better-error-handling-for-key_add.patch @@ -0,0 +1,102 @@ +From 382ec63757c1d8d4d399d17ccc927c4897d4cfc9 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Sun, 20 Apr 2014 20:41:05 -0400 +Subject: [PATCH] cifscreds: better error handling for key_add + +If the string buffers would have been overrun, set errno to EINVAL +before returning. Then, have the callers report the errors to +stderr or syslog as appropriate. + +Cc: Sebastian Krahmer +Signed-off-by: Jeff Layton +--- + cifscreds.c | 6 +++--- + cifskey.c | 8 ++++++-- + pam_cifscreds.c | 9 +++++---- + 3 files changed, 14 insertions(+), 9 deletions(-) + +diff --git a/cifscreds.c b/cifscreds.c +index 64d55b0..5d84c3c 100644 +--- a/cifscreds.c ++++ b/cifscreds.c +@@ -220,8 +220,8 @@ static int cifscreds_add(struct cmdarg *arg) + while (currentaddress) { + key_serial_t key = key_add(currentaddress, arg->user, pass, arg->keytype); + if (key <= 0) { +- fprintf(stderr, "error: Add credential key for %s\n", +- currentaddress); ++ fprintf(stderr, "error: Add credential key for %s: %s\n", ++ currentaddress, strerror(errno)); + } else { + if (keyctl(KEYCTL_SETPERM, key, CIFS_KEY_PERMS) < 0) { + fprintf(stderr, "error: Setting permissons " +@@ -422,7 +422,7 @@ static int cifscreds_update(struct cmdarg *arg) + key_serial_t key = key_add(addrs[id], arg->user, pass, arg->keytype); + if (key <= 0) + fprintf(stderr, "error: Update credential key " +- "for %s\n", addrs[id]); ++ "for %s: %s\n", addrs[id], strerror(errno)); + } + + return EXIT_SUCCESS; +diff --git a/cifskey.c b/cifskey.c +index 4f01ed0..919540f 100644 +--- a/cifskey.c ++++ b/cifskey.c +@@ -47,13 +47,17 @@ key_add(const char *addr, const char *user, const char *pass, char keytype) + char val[MOUNT_PASSWD_SIZE + MAX_USERNAME_SIZE + 2]; + + /* set key description */ +- if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) ++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) { ++ errno = EINVAL; + return -1; ++ } + + /* set payload contents */ + len = snprintf(val, sizeof(val), "%s:%s", user, pass); +- if (len >= (int)sizeof(val)) ++ if (len >= (int)sizeof(val)) { ++ errno = EINVAL; + return -1; ++ } + + return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING); + } +diff --git a/pam_cifscreds.c b/pam_cifscreds.c +index fb23117..5d99c2d 100644 +--- a/pam_cifscreds.c ++++ b/pam_cifscreds.c +@@ -208,6 +208,7 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas + + switch(errno) { + case ENOKEY: ++ /* success */ + break; + default: + pam_syslog(ph, LOG_ERR, "Unable to search keyring for %s (%s)", +@@ -233,8 +234,8 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas + while (currentaddress) { + key_serial_t key = key_add(currentaddress, user, password, keytype); + if (key <= 0) { +- pam_syslog(ph, LOG_ERR, "error: Add credential key for %s", +- currentaddress); ++ pam_syslog(ph, LOG_ERR, "error: Add credential key for %s: %s", ++ currentaddress, strerror(errno)); + } else { + if ((args & ARG_DEBUG) == ARG_DEBUG) { + pam_syslog(ph, LOG_DEBUG, "credential key for \\\\%s\\%s added", +@@ -336,8 +337,8 @@ static int cifscreds_pam_update(pam_handle_t *ph, const char *user, const char * + for (id = 0; id < count; id++) { + key_serial_t key = key_add(currentaddress, user, password, keytype); + if (key <= 0) { +- pam_syslog(ph, LOG_ERR, "error: Update credential key for %s", +- currentaddress); ++ pam_syslog(ph, LOG_ERR, "error: Update credential key for %s: %s", ++ currentaddress, strerror(errno)); + } + } + +-- +1.8.4.2 + diff --git a/cifs-utils.spec b/cifs-utils.spec index cdcbf92..d53b4ca 100644 --- a/cifs-utils.spec +++ b/cifs-utils.spec @@ -3,7 +3,7 @@ Name: cifs-utils Version: 6.3 -Release: 1%{pre_release}%{?dist} +Release: 2%{pre_release}%{?dist} Summary: Utilities for mounting and managing CIFS mounts Group: System Environment/Daemons @@ -18,6 +18,11 @@ Requires(post): /usr/sbin/alternatives Requires(preun): /usr/sbin/alternatives Source0: ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}%{pre_release}.tar.bz2 +Patch0: 0001-autoconf-allow-PAM-security-install-directory-to-be-.patch +Patch1: 0002-cifs-use-krb5_kt_default-to-determine-default-keytab.patch +Patch2: 0003-cifskey-better-use-snprintf.patch +Patch3: 0004-cifscreds-better-error-handling-when-key_search-fail.patch +Patch4: 0005-cifscreds-better-error-handling-for-key_add.patch %description The SMB/CIFS protocol is a standard file sharing protocol widely deployed @@ -52,6 +57,11 @@ provide these credentials to the kernel automatically at login. %prep %setup -q -n %{name}-%{version}%{pre_release} +%patch0 -p1 +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 %build autoreconf -i @@ -106,6 +116,13 @@ fi %{_mandir}/man8/pam_cifscreds.8.gz %changelog +* Tue May 06 2014 Sachin Prabhu 6.3-2 +- autoconf: allow PAM security install directory to be configurable +- cifs: use krb5_kt_default() to determine default keytab location +- cifskey: better use snprintf() +- cifscreds: better error handling when key_search fails +- cifscreds: better error handling for key_add + * Thu Jan 09 2014 Jeff Layton 6.3-1 - update to 6.3 release