Updated to 6.4 release

Signed-off-by: Sachin Prabhu <sprabhu@redhat.com>
This commit is contained in:
Sachin Prabhu 2014-08-04 12:11:16 +01:00
parent 3526ede088
commit 9f0c3b0ee7
8 changed files with 7 additions and 352 deletions

1
.gitignore vendored
View File

@ -18,3 +18,4 @@ cifs-utils-4.6.tar.bz2
/cifs-utils-6.1.tar.bz2
/cifs-utils-6.2.tar.bz2
/cifs-utils-6.3.tar.bz2
/cifs-utils-6.4.tar.bz2

View File

@ -1,47 +0,0 @@
From 00a1cee869fce5b6aa79683da19a2529c2cfd690 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20M=C3=BCller?= <lars@samba.org>
Date: Mon, 7 Apr 2014 14:35:10 -0400
Subject: [PATCH] autoconf: allow PAM security install directory to be
configurable
Allow the pam module install directory to be set at build time.
Signed-off-by: Jeff Layton <jlayton@samba.org>
---
Makefile.am | 2 --
configure.ac | 6 ++++++
2 files changed, 6 insertions(+), 2 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index a3fb413..92da8b1 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -92,8 +92,6 @@ idmapwb.8: idmapwb.8.in
endif
if CONFIG_PAM
-pamdir = $(libdir)/security
-
pam_PROGRAMS = pam_cifscreds.so
pam_cifscreds.so: pam_cifscreds.c cifskey.c resolve_host.c util.c
diff --git a/configure.ac b/configure.ac
index 6cd8558..43aa55c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -58,6 +58,12 @@ AC_ARG_WITH(idmap-plugin,
AC_DEFINE_UNQUOTED(IDMAP_PLUGIN_PATH, "$pluginpath", [Location of plugin that ID mapping infrastructure should use. (usually a symlink to real plugin)])
AC_SUBST([pluginpath])
+AC_ARG_WITH(pamdir,
+ [AC_HELP_STRING([--with-pamdir=DIR],[Where to install the PAM module @<:@default=$(libdir)/security@:>@])],
+ pamdir=$withval,
+ pamdir="\$(libdir)/security")
+AC_SUBST([pamdir])
+
# check for ROOTSBINDIR environment var
if test -z $ROOTSBINDIR; then
ROOTSBINDIR="/sbin"
--
1.8.4.2

View File

@ -1,56 +0,0 @@
From a016e18969d10e3c777f35fe21b1c1f8c1d70880 Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlayton@samba.org>
Date: Mon, 7 Apr 2014 14:35:17 -0400
Subject: [PATCH] cifs: use krb5_kt_default() to determine default keytab
location
...don't assume that it's in /etc/krb5.keytab.
Reported-by: Konstantin Lepikhov <klepikho@redhat.com>
Signed-off-by: Jeff Layton <jlayton@samba.org>
---
cifs.upcall.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/cifs.upcall.c b/cifs.upcall.c
index cc65824..e8544c2 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -55,7 +55,6 @@
#define CIFS_DEFAULT_KRB5_DIR "/tmp"
#define CIFS_DEFAULT_KRB5_USER_DIR "/run/user/%U"
#define CIFS_DEFAULT_KRB5_PREFIX "krb5cc"
-#define CIFS_DEFAULT_KRB5_KEYTAB "/etc/krb5.keytab"
#define MAX_CCNAME_LEN PATH_MAX + 5
@@ -205,9 +204,15 @@ init_cc_from_keytab(const char *keytab_name, const char *user)
goto icfk_cleanup;
}
- ret = krb5_kt_resolve(context, keytab_name, &keytab);
+ if (keytab_name)
+ ret = krb5_kt_resolve(context, keytab_name, &keytab);
+ else
+ ret = krb5_kt_default(context, &keytab);
+
if (ret) {
- syslog(LOG_DEBUG, "krb5_kt_resolve: %d", (int)ret);
+ syslog(LOG_DEBUG, "%s: %d",
+ keytab_name ? "krb5_kt_resolve" : "krb5_kt_default",
+ (int)ret);
goto icfk_cleanup;
}
@@ -841,7 +846,7 @@ int main(const int argc, char *const argv[])
struct decoded_args arg;
const char *oid;
uid_t uid;
- char *keytab_name = CIFS_DEFAULT_KRB5_KEYTAB;
+ char *keytab_name = NULL;
time_t best_time = 0;
hostbuf[0] = '\0';
--
1.8.4.2

View File

@ -1,49 +0,0 @@
From 0c521d5060035da655107001374e08873ac5dde8 Mon Sep 17 00:00:00 2001
From: Sebastian Krahmer <krahmer@suse.de>
Date: Mon, 14 Apr 2014 11:39:41 +0200
Subject: [PATCH] cifskey: better use snprintf()
Prefer snprintf() over sprintf() in cifskey.c
Projects that fork the code (pam_cifscreds) can't rely on
the max-size parameters.
[jlayton: removed unneeded initialization of "len" in key_add]
Signed-off-by: Sebastian Krahmer <krahmer@suse.de>
---
cifskey.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/cifskey.c b/cifskey.c
index 7716c42..e89cacf 100644
--- a/cifskey.c
+++ b/cifskey.c
@@ -29,7 +29,8 @@ key_search(const char *addr, char keytype)
{
char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4];
- sprintf(desc, "%s:%c:%s", KEY_PREFIX, keytype, addr);
+ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc))
+ return -1;
return keyctl_search(DEST_KEYRING, CIFS_KEY_TYPE, desc, 0);
}
@@ -43,10 +44,13 @@ key_add(const char *addr, const char *user, const char *pass, char keytype)
char val[MOUNT_PASSWD_SIZE + MAX_USERNAME_SIZE + 2];
/* set key description */
- sprintf(desc, "%s:%c:%s", KEY_PREFIX, keytype, addr);
+ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc))
+ return -1;
/* set payload contents */
- len = sprintf(val, "%s:%s", user, pass);
+ len = snprintf(val, sizeof(val), "%s:%s", user, pass);
+ if (len >= (int)sizeof(val))
+ return -1;
return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING);
}
--
1.8.4.2

View File

@ -1,85 +0,0 @@
From 3da4c43b575498be86c87a2ac3f3142e3cab1c59 Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlayton@samba.org>
Date: Sun, 20 Apr 2014 20:41:05 -0400
Subject: [PATCH] cifscreds: better error handling when key_search fails
If we ended up getting a bogus string that would have overflowed, then
make key_search set errno to EINVAL before returning. The callers can
then test to see if the returned error is what was expected or something
else and handle it appropriately.
Cc: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Jeff Layton <jlayton@samba.org>
---
cifscreds.c | 9 +++++++++
cifskey.c | 5 ++++-
pam_cifscreds.c | 9 +++++++++
3 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/cifscreds.c b/cifscreds.c
index fa05dc8..64d55b0 100644
--- a/cifscreds.c
+++ b/cifscreds.c
@@ -188,6 +188,15 @@ static int cifscreds_add(struct cmdarg *arg)
return EXIT_FAILURE;
}
+ switch(errno) {
+ case ENOKEY:
+ /* success */
+ break;
+ default:
+ printf("Key search failed: %s\n", strerror(errno));
+ return EXIT_FAILURE;
+ }
+
currentaddress = nextaddress;
if (currentaddress) {
*(currentaddress - 1) = ',';
diff --git a/cifskey.c b/cifskey.c
index e89cacf..4f01ed0 100644
--- a/cifskey.c
+++ b/cifskey.c
@@ -20,6 +20,7 @@
#include <sys/types.h>
#include <keyutils.h>
#include <stdio.h>
+#include <errno.h>
#include "cifskey.h"
#include "resolve_host.h"
@@ -29,8 +30,10 @@ key_search(const char *addr, char keytype)
{
char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4];
- if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc))
+ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) {
+ errno = EINVAL;
return -1;
+ }
return keyctl_search(DEST_KEYRING, CIFS_KEY_TYPE, desc, 0);
}
diff --git a/pam_cifscreds.c b/pam_cifscreds.c
index e0d8a55..fb23117 100644
--- a/pam_cifscreds.c
+++ b/pam_cifscreds.c
@@ -206,6 +206,15 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas
return PAM_SERVICE_ERR;
}
+ switch(errno) {
+ case ENOKEY:
+ break;
+ default:
+ pam_syslog(ph, LOG_ERR, "Unable to search keyring for %s (%s)",
+ currentaddress, strerror(errno));
+ return PAM_SERVICE_ERR;
+ }
+
currentaddress = nextaddress;
if (currentaddress) {
*(currentaddress - 1) = ',';
--
1.8.4.2

View File

@ -1,102 +0,0 @@
From 382ec63757c1d8d4d399d17ccc927c4897d4cfc9 Mon Sep 17 00:00:00 2001
From: Jeff Layton <jlayton@samba.org>
Date: Sun, 20 Apr 2014 20:41:05 -0400
Subject: [PATCH] cifscreds: better error handling for key_add
If the string buffers would have been overrun, set errno to EINVAL
before returning. Then, have the callers report the errors to
stderr or syslog as appropriate.
Cc: Sebastian Krahmer <krahmer@suse.de>
Signed-off-by: Jeff Layton <jlayton@samba.org>
---
cifscreds.c | 6 +++---
cifskey.c | 8 ++++++--
pam_cifscreds.c | 9 +++++----
3 files changed, 14 insertions(+), 9 deletions(-)
diff --git a/cifscreds.c b/cifscreds.c
index 64d55b0..5d84c3c 100644
--- a/cifscreds.c
+++ b/cifscreds.c
@@ -220,8 +220,8 @@ static int cifscreds_add(struct cmdarg *arg)
while (currentaddress) {
key_serial_t key = key_add(currentaddress, arg->user, pass, arg->keytype);
if (key <= 0) {
- fprintf(stderr, "error: Add credential key for %s\n",
- currentaddress);
+ fprintf(stderr, "error: Add credential key for %s: %s\n",
+ currentaddress, strerror(errno));
} else {
if (keyctl(KEYCTL_SETPERM, key, CIFS_KEY_PERMS) < 0) {
fprintf(stderr, "error: Setting permissons "
@@ -422,7 +422,7 @@ static int cifscreds_update(struct cmdarg *arg)
key_serial_t key = key_add(addrs[id], arg->user, pass, arg->keytype);
if (key <= 0)
fprintf(stderr, "error: Update credential key "
- "for %s\n", addrs[id]);
+ "for %s: %s\n", addrs[id], strerror(errno));
}
return EXIT_SUCCESS;
diff --git a/cifskey.c b/cifskey.c
index 4f01ed0..919540f 100644
--- a/cifskey.c
+++ b/cifskey.c
@@ -47,13 +47,17 @@ key_add(const char *addr, const char *user, const char *pass, char keytype)
char val[MOUNT_PASSWD_SIZE + MAX_USERNAME_SIZE + 2];
/* set key description */
- if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc))
+ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) {
+ errno = EINVAL;
return -1;
+ }
/* set payload contents */
len = snprintf(val, sizeof(val), "%s:%s", user, pass);
- if (len >= (int)sizeof(val))
+ if (len >= (int)sizeof(val)) {
+ errno = EINVAL;
return -1;
+ }
return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING);
}
diff --git a/pam_cifscreds.c b/pam_cifscreds.c
index fb23117..5d99c2d 100644
--- a/pam_cifscreds.c
+++ b/pam_cifscreds.c
@@ -208,6 +208,7 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas
switch(errno) {
case ENOKEY:
+ /* success */
break;
default:
pam_syslog(ph, LOG_ERR, "Unable to search keyring for %s (%s)",
@@ -233,8 +234,8 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas
while (currentaddress) {
key_serial_t key = key_add(currentaddress, user, password, keytype);
if (key <= 0) {
- pam_syslog(ph, LOG_ERR, "error: Add credential key for %s",
- currentaddress);
+ pam_syslog(ph, LOG_ERR, "error: Add credential key for %s: %s",
+ currentaddress, strerror(errno));
} else {
if ((args & ARG_DEBUG) == ARG_DEBUG) {
pam_syslog(ph, LOG_DEBUG, "credential key for \\\\%s\\%s added",
@@ -336,8 +337,8 @@ static int cifscreds_pam_update(pam_handle_t *ph, const char *user, const char *
for (id = 0; id < count; id++) {
key_serial_t key = key_add(currentaddress, user, password, keytype);
if (key <= 0) {
- pam_syslog(ph, LOG_ERR, "error: Update credential key for %s",
- currentaddress);
+ pam_syslog(ph, LOG_ERR, "error: Update credential key for %s: %s",
+ currentaddress, strerror(errno));
}
}
--
1.8.4.2

View File

@ -2,8 +2,8 @@
%define pre_release %nil
Name: cifs-utils
Version: 6.3
Release: 3%{pre_release}%{?dist}
Version: 6.4
Release: 1%{pre_release}%{?dist}
Summary: Utilities for mounting and managing CIFS mounts
Group: System Environment/Daemons
@ -18,11 +18,6 @@ Requires(post): /usr/sbin/alternatives
Requires(preun): /usr/sbin/alternatives
Source0: ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}%{pre_release}.tar.bz2
Patch0: 0001-autoconf-allow-PAM-security-install-directory-to-be-.patch
Patch1: 0002-cifs-use-krb5_kt_default-to-determine-default-keytab.patch
Patch2: 0003-cifskey-better-use-snprintf.patch
Patch3: 0004-cifscreds-better-error-handling-when-key_search-fail.patch
Patch4: 0005-cifscreds-better-error-handling-for-key_add.patch
%description
The SMB/CIFS protocol is a standard file sharing protocol widely deployed
@ -57,11 +52,6 @@ provide these credentials to the kernel automatically at login.
%prep
%setup -q -n %{name}-%{version}%{pre_release}
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%build
autoreconf -i
@ -116,6 +106,9 @@ fi
%{_mandir}/man8/pam_cifscreds.8.gz
%changelog
* Mon Aug 04 2014 Sachin Prabhu <sprabhu@redhat.com> - 6.4-1
- update to 6.4 release
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 6.3-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

View File

@ -1 +1 @@
93697dbc043cb4d5c66e15e281f872e5 cifs-utils-6.3.tar.bz2
b7d75b67fd3987952896d27256c7293d cifs-utils-6.4.tar.bz2