import Oracle_OSS cifs-utils-7.6-2.el9_8
This commit is contained in:
parent
e1e0de1641
commit
da7b0e4e45
@ -1 +1 @@
|
||||
75c4eadf2b789ba0e504b4991f3284e15bf9266a SOURCES/cifs-utils-7.5.tar.bz2
|
||||
8b97d2168a05703176a5cedd9982aa658ef5c47a SOURCES/cifs-utils-7.6.tar.bz2
|
||||
|
||||
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/cifs-utils-7.5.tar.bz2
|
||||
SOURCES/cifs-utils-7.6.tar.bz2
|
||||
|
||||
@ -1,41 +0,0 @@
|
||||
From 927123ede36fab4a68aea6f6a3495ad909430ed1 Mon Sep 17 00:00:00 2001
|
||||
From: Pierguido Lambri <plambri@redhat.com>
|
||||
Date: Fri, 30 Jan 2026 14:11:28 +0000
|
||||
Subject: [PATCH 3/3] cifs.upcall: Adjust log level
|
||||
|
||||
Because now only error message are logged, let's switch some messages
|
||||
from DEBUG to ERROR level.
|
||||
This will help see when an error occurred with cifs.upcall and
|
||||
eventually turn on the debug mode.
|
||||
|
||||
Signed-off-by: Pierguido Lambri <plambri@redhat.com>
|
||||
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
|
||||
---
|
||||
cifs.upcall.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/cifs.upcall.c b/cifs.upcall.c
|
||||
index b57a48c743e4..9d0eecf3aa11 100644
|
||||
--- a/cifs.upcall.c
|
||||
+++ b/cifs.upcall.c
|
||||
@@ -1618,7 +1618,7 @@ int main(const int argc, char *const argv[])
|
||||
__func__);
|
||||
} else {
|
||||
if (!get_tgt_time(ccache)) {
|
||||
- syslog(LOG_DEBUG, "%s: valid TGT is not present in credential cache",
|
||||
+ syslog(LOG_ERR, "%s: valid TGT is not present in credential cache",
|
||||
__func__);
|
||||
krb5_cc_close(context, ccache);
|
||||
ccache = NULL;
|
||||
@@ -1721,7 +1721,7 @@ retry_new_hostname:
|
||||
}
|
||||
|
||||
if (rc) {
|
||||
- syslog(LOG_DEBUG, "Unable to obtain service ticket");
|
||||
+ syslog(LOG_ERR, "Unable to obtain service ticket");
|
||||
goto out;
|
||||
}
|
||||
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -1,68 +0,0 @@
|
||||
From 3047b9ccefdcf6327bf060ebf0d40864c5b1a11e Mon Sep 17 00:00:00 2001
|
||||
From: Pierguido Lambri <plambri@redhat.com>
|
||||
Date: Fri, 30 Jan 2026 14:11:26 +0000
|
||||
Subject: [PATCH 1/3] cifs.upcall: add option to enable debug logs
|
||||
|
||||
cifs.upcall uses two levels of logs, DEBUG and ERR.
|
||||
However, when using systemd, these logs will always be recorded.
|
||||
When the system does a lot of upcalls, the journal could be filled
|
||||
with debug logs, which may not be useful at that time.
|
||||
Added then a new option '-d' to enable debug logs only when needed.
|
||||
This will set a logmask up to LOG_DEBUG instead of the default
|
||||
of LOG_ERR, thus reducing the amount of logs when no debug is needed.
|
||||
|
||||
Signed-off-by: Pierguido Lambri <plambri@redhat.com>
|
||||
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
|
||||
---
|
||||
cifs.upcall.c | 13 +++++++++++--
|
||||
1 file changed, 11 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/cifs.upcall.c b/cifs.upcall.c
|
||||
index 69e27a34f637..b57a48c743e4 100644
|
||||
--- a/cifs.upcall.c
|
||||
+++ b/cifs.upcall.c
|
||||
@@ -1356,10 +1356,11 @@ lowercase_string(char *c)
|
||||
|
||||
static void usage(void)
|
||||
{
|
||||
- fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-E] [-t] [-v] [-l] [-e nsecs] key_serial\n", prog);
|
||||
+ fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-d] [-E] [-t] [-v] [-l] [-e nsecs] key_serial\n", prog);
|
||||
}
|
||||
|
||||
static const struct option long_options[] = {
|
||||
+ {"debug", 0, NULL, 'd'},
|
||||
{"no-env-probe", 0, NULL, 'E'},
|
||||
{"krb5conf", 1, NULL, 'k'},
|
||||
{"legacy-uid", 0, NULL, 'l'},
|
||||
@@ -1379,6 +1380,7 @@ int main(const int argc, char *const argv[])
|
||||
size_t datalen;
|
||||
long rc = 1;
|
||||
int c;
|
||||
+ int mask;
|
||||
bool try_dns = false, legacy_uid = false , env_probe = true;
|
||||
char *buf;
|
||||
char hostbuf[NI_MAXHOST], *host;
|
||||
@@ -1395,12 +1397,19 @@ int main(const int argc, char *const argv[])
|
||||
hostbuf[0] = '\0';
|
||||
|
||||
openlog(prog, 0, LOG_DAEMON);
|
||||
+ mask = LOG_UPTO(LOG_ERR);
|
||||
+ setlogmask(mask);
|
||||
|
||||
- while ((c = getopt_long(argc, argv, "cEk:K:ltve:", long_options, NULL)) != -1) {
|
||||
+ while ((c = getopt_long(argc, argv, "cdEk:K:ltve:", long_options, NULL)) != -1) {
|
||||
switch (c) {
|
||||
case 'c':
|
||||
/* legacy option -- skip it */
|
||||
break;
|
||||
+ case 'd':
|
||||
+ /* enable debug logs */
|
||||
+ mask = LOG_UPTO(LOG_DEBUG);
|
||||
+ setlogmask(mask);
|
||||
+ break;
|
||||
case 'E':
|
||||
/* skip probing initiating process env */
|
||||
env_probe = false;
|
||||
--
|
||||
2.52.0
|
||||
|
||||
46
SOURCES/cifs.upcall-fix-compiler-warning-with-Wvla.patch
Normal file
46
SOURCES/cifs.upcall-fix-compiler-warning-with-Wvla.patch
Normal file
@ -0,0 +1,46 @@
|
||||
From d2f39a20d68aa55023b63e575f06941721e644c6 Mon Sep 17 00:00:00 2001
|
||||
From: Paulo Alcantara <pc@manguebit.org>
|
||||
Date: Tue, 23 Jun 2026 15:06:20 -0300
|
||||
Subject: [PATCH] cifs.upcall: fix compiler warning with -Wvla
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The length value for @path array in get_uidgid() needs to be evaluated
|
||||
at compile time, so replace strlen() with sizeof() when defining
|
||||
PROC_PID_PATH_MAXLEN and then fix the following warning:
|
||||
|
||||
cifs.upcall.c: In function ‘get_uidgid’:
|
||||
cifs.upcall.c:1400:9: warning: ISO C90 forbids array ‘path’ whose size
|
||||
cannot be evaluated [-Wvla]
|
||||
1400 | char path[PROC_PID_PATH_MAXLEN] = {}, buf[256];
|
||||
| ^~~~
|
||||
|
||||
Fixes: 972c5b5ff95e ("cifs.upcall: remove getpwuid() dependency")
|
||||
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
|
||||
Reviewed-by: David Howells <dhowells@redhat.com>
|
||||
Cc: Enzo Matsumiya <ematsumiya@suse.de>
|
||||
Cc: linux-cifs@vger.kernel.org
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
cifs.upcall.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/cifs.upcall.c b/cifs.upcall.c
|
||||
index 01690dfcade1..11dbc6186a74 100644
|
||||
--- a/cifs.upcall.c
|
||||
+++ b/cifs.upcall.c
|
||||
@@ -1375,8 +1375,8 @@ static int ip_to_fqdn(const char *addrstr, char *host, size_t hostlen)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-/* cover worst case/impossible scenarios, + 1 for NUL */
|
||||
-#define PROC_PID_PATH_MAXLEN ((int)strlen("/proc/2147483647/status") + 1)
|
||||
+/* cover worst case/impossible scenarios */
|
||||
+#define PROC_PID_PATH_MAXLEN ((int)sizeof("/proc/2147483647/status"))
|
||||
/* max valid UID/GID is (UINT_MAX - 1) */
|
||||
#define INVALID_UIDGID UINT_MAX
|
||||
|
||||
--
|
||||
2.54.0
|
||||
|
||||
391
SOURCES/cifs.upcall-fix-regression-with-krb5-creduid.patch
Normal file
391
SOURCES/cifs.upcall-fix-regression-with-krb5-creduid.patch
Normal file
@ -0,0 +1,391 @@
|
||||
From e9495963e0d5c26f7d0137829d8dc625130b53cc Mon Sep 17 00:00:00 2001
|
||||
From: Enzo Matsumiya <ematsumiya@suse.de>
|
||||
Date: Mon, 6 Jul 2026 10:55:55 -0300
|
||||
Subject: [PATCH] cifs.upcall: fix regression with krb5 + creduid
|
||||
|
||||
Commit 972c5b5ff95e ("cifs.upcall: remove getpwuid() dependency")
|
||||
introduced a regression when using creduid != uid (e.g.
|
||||
"mount.cifs -o sec=krb5,cruid=X"), so 'uid' local var is replaced
|
||||
with procfs "Uid" value (in the example, the one from mount.cifs).
|
||||
|
||||
That commit ignored the fact that:
|
||||
mount UID can be different from creds UID, and that calling-app
|
||||
process (post-mount) can be different from both
|
||||
|
||||
This patch "reverts" 972c5b5ff95e ("cifs.upcall: remove getpwuid()
|
||||
dependency"); transform the "emergency"-added function get_uidgid()
|
||||
into map_uidgid(), now only used to do NS UID/GID mapping.
|
||||
|
||||
Also add getpwuid() back, but this time called while still on host
|
||||
namespace, so any possible custom NSS module is ran as allowed by
|
||||
sysadmin.
|
||||
|
||||
Any scenario involving unmapped UIDs or GIDs is unsupported; this
|
||||
means that any UID:GID in a child user namespace _must_ map back to
|
||||
a valid and existing host UID:GID.
|
||||
|
||||
Fixes: 972c5b5ff95e ("cifs.upcall: remove getpwuid() dependency")
|
||||
Reported-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
|
||||
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
|
||||
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
|
||||
Signed-off-by: Steve French <stfrench@microsoft.com>
|
||||
---
|
||||
cifs.upcall.c | 279 ++++++++++++++++++++++++++++++++------------------
|
||||
1 file changed, 177 insertions(+), 102 deletions(-)
|
||||
|
||||
diff --git a/cifs.upcall.c b/cifs.upcall.c
|
||||
index 747617790576..42205e66a676 100644
|
||||
--- a/cifs.upcall.c
|
||||
+++ b/cifs.upcall.c
|
||||
@@ -52,6 +52,7 @@
|
||||
#include <arpa/inet.h>
|
||||
#include <ctype.h>
|
||||
#include <grp.h>
|
||||
+#include <pwd.h>
|
||||
#include <stdbool.h>
|
||||
#include <errno.h>
|
||||
#include <sched.h>
|
||||
@@ -1375,118 +1376,170 @@ static int ip_to_fqdn(const char *addrstr, char *host, size_t hostlen)
|
||||
return 0;
|
||||
}
|
||||
|
||||
-/* cover worst case/impossible scenarios */
|
||||
-#define PROC_PID_PATH_MAXLEN ((int)sizeof("/proc/2147483647/status"))
|
||||
-/* max valid UID/GID is (UINT_MAX - 1) */
|
||||
-#define INVALID_UIDGID UINT_MAX
|
||||
+#define ID_MAP_PATH_MAX ((int)sizeof("/proc/2147483647/uid_map"))
|
||||
|
||||
-/*
|
||||
- * get_uidgid - Get @pid's (real) UID and/or GID.
|
||||
- * @pid: process to get UID/GID from
|
||||
- * @uidp: pointer to store @pid's UID (can be NULL)
|
||||
- * @gidp: pointer to store @pid's GID (can be NULL)
|
||||
- *
|
||||
- * Extract "Uid:" and "Gid:" fields from /proc/@pid/status.
|
||||
- * Do so based on whether @uidp or @gidp are NULL.
|
||||
- *
|
||||
- * This function assumes we're on the same namespace as @pid.
|
||||
- *
|
||||
- * Return: 0 on success, -1 otherwise (errno set).
|
||||
- *
|
||||
- * On errors, *@uidp and *@gidp are set to INVALID_UIDGID.
|
||||
- */
|
||||
-static int get_uidgid(pid_t pid, uid_t *uidp, gid_t *gidp)
|
||||
+static int map_id(pid_t pid, const char *map, unsigned int *idp)
|
||||
{
|
||||
- char path[PROC_PID_PATH_MAXLEN] = {}, buf[256];
|
||||
+ unsigned long long ns_start, host_start, range;
|
||||
+ char map_path[ID_MAP_PATH_MAX];
|
||||
+ int map_path_size = sizeof(map_path);
|
||||
+ unsigned int id;
|
||||
FILE *fp = NULL;
|
||||
- int ret;
|
||||
+ int ret = 1;
|
||||
|
||||
- errno = 0;
|
||||
- if (pid < 0 || (!uidp && !gidp)) {
|
||||
- errno = EINVAL;
|
||||
- return -1;
|
||||
- }
|
||||
+ errno = EINVAL;
|
||||
+ if (pid < 0 || !map || !idp || *idp == UINT_MAX)
|
||||
+ goto out;
|
||||
|
||||
- if (uidp)
|
||||
- *uidp = INVALID_UIDGID;
|
||||
-
|
||||
- if (gidp)
|
||||
- *gidp = INVALID_UIDGID;
|
||||
-
|
||||
- ret = snprintf(path, PROC_PID_PATH_MAXLEN, "/proc/%d/status", pid);
|
||||
- if (ret < 0 || ret >= PROC_PID_PATH_MAXLEN) {
|
||||
- if (!errno)
|
||||
+ ret = snprintf(map_path, map_path_size, "/proc/%d/%s", pid, map);
|
||||
+ if (ret < 0 || ret >= map_path_size) {
|
||||
+ if (ret >= map_path_size)
|
||||
errno = ENAMETOOLONG;
|
||||
- return -1;
|
||||
+ ret = 1;
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
- fp = fopen(path, "r");
|
||||
- if (!fp) {
|
||||
- ret = -1;
|
||||
+ ret = 1;
|
||||
+ fp = fopen(map_path, "r");
|
||||
+ if (!fp)
|
||||
goto out;
|
||||
- }
|
||||
|
||||
- /* Parse /proc/pid/status fields */
|
||||
- errno = 0;
|
||||
- ret = -1;
|
||||
- while (fgets(buf, 256, fp)) {
|
||||
- unsigned long long val;
|
||||
+ /*
|
||||
+ * The map files have the same format:
|
||||
+ * <NS ID start> <host ID start> <range>
|
||||
+ * ... (<multiple entries are supported) ...
|
||||
+ *
|
||||
+ * Formula and validation:
|
||||
+ * <final NS ID> = (*@idp - <host ID start>) + <NS ID start>
|
||||
+ *
|
||||
+ * - IDs: [0, UINT_MAX - 1]
|
||||
+ * - range: [1, UINT_MAX], where range == UINT_MAX requires both ID ranges to start at 0,
|
||||
+ * which then means this is an init host NS mapping (and that's ok)
|
||||
+ *
|
||||
+ * The formula itself would be enough to "validate" a matching NS ID, but we don't want to
|
||||
+ * keep parsing a malformed map file, no matter how unlikely/impossible it is to happen.
|
||||
+ * Same reason values are parsed as 'unsigned long long', so we can check for bogus data.
|
||||
+ */
|
||||
+ id = UINT_MAX;
|
||||
+ errno = ENODATA;
|
||||
+ while (fscanf(fp, "%llu %llu %llu", &ns_start, &host_start, &range) == 3) {
|
||||
+ if (ns_start >= UINT_MAX || host_start >= UINT_MAX ||
|
||||
+ range > UINT_MAX || range == 0) {
|
||||
+ errno = EINVAL;
|
||||
+ ret = 1;
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
- errno = ENODATA;
|
||||
- if ((!uidp || strncmp(buf, "Uid:", 4)) && (!gidp || strncmp(buf, "Gid:", 4)))
|
||||
- continue;
|
||||
+ if (range == UINT_MAX && (ns_start != 0 || host_start != 0)) {
|
||||
+ errno = EINVAL;
|
||||
+ ret = 1;
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
- errno = 0;
|
||||
+ if (host_start + range > UINT_MAX || ns_start + range > UINT_MAX) {
|
||||
+ errno = EINVAL;
|
||||
+ ret = 1;
|
||||
+ break;
|
||||
+ }
|
||||
|
||||
/*
|
||||
- * Example line format (same for both Uid/Gid):
|
||||
- * "Uid:\t%u\t%u\%u\%u"
|
||||
+ * Check if host ID fits this line.
|
||||
+ * Our desired NS ID may be in any line of the file.
|
||||
*
|
||||
- * Where the numbers represents:
|
||||
- * <real> <effective> <saved> <fsuid>
|
||||
+ * Note: new{uid,gid}map tools (that creates the map files) don't allow multiple
|
||||
+ * maps (NS IDs) to the same host ID.
|
||||
*
|
||||
- * We're only interested in the <real> value.
|
||||
+ * If we get a match here, we'll save it, but we continue parsing the file.
|
||||
+ * If we happen to find a duplicate, it's possible this is a rogue file trying to
|
||||
+ * bypass these checks.
|
||||
*
|
||||
- * (field names "Uid:"/"Gid:" parsed above, skip it)
|
||||
+ * In such cases, discard the match and return EOPNOTSUPP, as returning a
|
||||
+ * successful match could lead to disastrous results.
|
||||
*/
|
||||
- ret = sscanf(&buf[0] + 4, "%llu", &val);
|
||||
- if (ret != 1) {
|
||||
- ret = -1;
|
||||
- if (errno)
|
||||
+ if (*idp >= host_start && *idp < host_start + range) {
|
||||
+ /* This means we found a duplicate */
|
||||
+ if (!ret) {
|
||||
+ ret = 1;
|
||||
+ errno = EOPNOTSUPP;
|
||||
+ syslog(LOG_ERR, "%s has multiple mapped IDs for %u (unsupported)",
|
||||
+ map, *idp);
|
||||
break;
|
||||
- continue;
|
||||
- }
|
||||
+ }
|
||||
|
||||
- ret = -1;
|
||||
- if (val >= UINT_MAX) {
|
||||
- errno = EINVAL;
|
||||
- break;
|
||||
- }
|
||||
-
|
||||
- if (uidp && !strncmp(buf, "Uid:", 4))
|
||||
- *uidp = (uid_t)val;
|
||||
- else
|
||||
- *gidp = (gid_t)val;
|
||||
-
|
||||
- if ((!uidp || *uidp != INVALID_UIDGID) && (!gidp || *gidp != INVALID_UIDGID)) {
|
||||
- errno = 0;
|
||||
+ id = (*idp - host_start) + ns_start;
|
||||
ret = 0;
|
||||
- break;
|
||||
+ errno = 0;
|
||||
}
|
||||
}
|
||||
+
|
||||
+ /* This means errno was reset by fscanf() without finding anything */
|
||||
+ if (ret && errno == 0)
|
||||
+ errno = ENODATA;
|
||||
out:
|
||||
- if (fp)
|
||||
+ if (fp) {
|
||||
+ int err = errno;
|
||||
+
|
||||
fclose(fp);
|
||||
+ /* Ignore fclose() errors */
|
||||
+ errno = err;
|
||||
+ }
|
||||
|
||||
+ if (!ret) {
|
||||
+ *idp = id;
|
||||
+ errno = 0;
|
||||
+ } else {
|
||||
+ syslog(LOG_DEBUG, "%s(pid=%d, map=%s, id=%u): %s", __func__, pid, map, *idp,
|
||||
+ strerror(errno));
|
||||
+ }
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * map_uidgid() - Map (real) UID/GID from init host NS to user NS.
|
||||
+ * @pid: host NS PID
|
||||
+ * @uidp: (in) host UID, (out) NS UID
|
||||
+ * @gidp: (in) host GID, (out) NS GID
|
||||
+ *
|
||||
+ * Parse /proc/@pid/{uid,gid}_map files to get NS UID/GID values.
|
||||
+ * Since @pid is expected to be a host NS PID, this must be called before switching namespaces.
|
||||
+ *
|
||||
+ * Note: we can't use /proc/self here because we haven't switched NS yet, so {uid,gid}_map files
|
||||
+ * would contain host NS values.
|
||||
+ *
|
||||
+ * Return: 0 on success, 1 otherwise (errno set).
|
||||
+ */
|
||||
+static int map_uidgid(pid_t pid, uid_t *uidp, gid_t *gidp)
|
||||
+{
|
||||
+ uid_t orig_uid;
|
||||
+ gid_t orig_gid;
|
||||
+ int ret = 1;
|
||||
+
|
||||
+ errno = EINVAL;
|
||||
+ if (!uidp || !gidp)
|
||||
+ goto out;
|
||||
+
|
||||
+ orig_uid = *uidp;
|
||||
+ orig_gid = *gidp;
|
||||
+
|
||||
+ ret = map_id(pid, "uid_map", uidp);
|
||||
if (ret) {
|
||||
- syslog(LOG_DEBUG, "%s(pid=%d): %s", __func__, pid, strerror(errno));
|
||||
- if (uidp)
|
||||
- *uidp = INVALID_UIDGID;
|
||||
-
|
||||
- if (gidp)
|
||||
- *gidp = INVALID_UIDGID;
|
||||
+ if (errno == ENODATA)
|
||||
+ syslog(LOG_ERR, "UID %u not mapped in this namespace (unsupported)",
|
||||
+ orig_uid);
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
+ ret = map_id(pid, "gid_map", gidp);
|
||||
+ if (ret && errno == ENODATA)
|
||||
+ syslog(LOG_ERR, "GID %u not mapped in this namespace (unsupported)",
|
||||
+ orig_gid);
|
||||
+out:
|
||||
+ if (ret && errno != ENODATA)
|
||||
+ syslog(LOG_ERR, "%s: %s", __func__, strerror(errno));
|
||||
+ else if (!ret)
|
||||
+ syslog(LOG_DEBUG, "host %u:%u -> NS %u:%u", orig_uid, orig_gid, *uidp, *gidp);
|
||||
+
|
||||
return ret;
|
||||
}
|
||||
|
||||
@@ -1534,6 +1587,7 @@ int main(const int argc, char *const argv[])
|
||||
const char *oid;
|
||||
uid_t uid;
|
||||
gid_t gid;
|
||||
+ struct passwd *pw;
|
||||
char *keytab_name = NULL;
|
||||
char *env_cachename = NULL;
|
||||
krb5_ccache ccache = NULL;
|
||||
@@ -1680,12 +1734,52 @@ int main(const int argc, char *const argv[])
|
||||
goto out;
|
||||
}
|
||||
|
||||
+ /*
|
||||
+ * 'uid' always points to a host UID, so we must get the corresponding host GID.
|
||||
+ * It's safe to call getpwuid() here because we're still on host NS, i.e. caller
|
||||
+ * application has no control over custom NSS modules.
|
||||
+ *
|
||||
+ * FIXME: if UID is from another NS, or a subuid, this will fail on mount.
|
||||
+ */
|
||||
+ errno = 0;
|
||||
+ pw = getpwuid(uid);
|
||||
+ if (!pw) {
|
||||
+ syslog(LOG_ERR, "failed to retrieve GID from UID %u: %s", uid,
|
||||
+ strerror(errno ? errno : ENOENT));
|
||||
+ rc = 1;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ gid = pw->pw_gid;
|
||||
+
|
||||
+ /*
|
||||
+ * We can't reasonably do this for root. When mounting a DFS share,
|
||||
+ * for instance we can end up with creds being overridden, but the env
|
||||
+ * variable left intact.
|
||||
+ *
|
||||
+ * Always check this before NS UID mapping.
|
||||
+ */
|
||||
+ if (uid == 0)
|
||||
+ env_probe = false;
|
||||
+
|
||||
/*
|
||||
* Change to the process's namespace. This means that things will work
|
||||
* acceptably in containers, because we'll be looking at the correct
|
||||
* filesystem and have the correct network configuration.
|
||||
*/
|
||||
if (arg->upcall_target == UPTARGET_APP || arg->upcall_target == UPTARGET_UNSPECIFIED) {
|
||||
+ /*
|
||||
+ * Map host 'uid' and 'gid' to the target user NS.
|
||||
+ *
|
||||
+ * Any scenario that involves unmapped UIDs or primary GIDs is not supported -- we
|
||||
+ * don't have, and can't find, all the info that would be necessary to find a
|
||||
+ * UID/GID within all the possible NS combinations.
|
||||
+ */
|
||||
+ if (!in_same_user_ns(arg->pid, getpid())) {
|
||||
+ rc = map_uidgid(arg->pid, &uid, &gid);
|
||||
+ if (rc)
|
||||
+ goto out;
|
||||
+ }
|
||||
syslog(LOG_INFO, "upcall_target=app, switching namespaces to application thread");
|
||||
arg->upcall_target = UPTARGET_APP;
|
||||
rc = switch_to_process_ns(arg->pid);
|
||||
@@ -1700,25 +1794,6 @@ int main(const int argc, char *const argv[])
|
||||
syslog(LOG_INFO, "upcall_target=mount, not switching namespaces to application thread");
|
||||
}
|
||||
|
||||
- /*
|
||||
- * We can't reasonably do this for root. When mounting a DFS share,
|
||||
- * for instance we can end up with creds being overridden, but the env
|
||||
- * variable left intact.
|
||||
- */
|
||||
- if (uid == 0)
|
||||
- env_probe = false;
|
||||
-
|
||||
- /*
|
||||
- * FIXME: this only works if we haven't switched PID namespaces.
|
||||
- * If we did, /proc/arg->pid/ might not exist, or worse, point to something else.
|
||||
- */
|
||||
- rc = get_uidgid(arg->pid, &uid, &gid);
|
||||
- if (rc) {
|
||||
- syslog(LOG_ERR, "get_uidgid (NS): %s", strerror(errno));
|
||||
- rc = 1;
|
||||
- goto out;
|
||||
- }
|
||||
-
|
||||
rc = setgid(gid);
|
||||
if (rc) {
|
||||
syslog(LOG_ERR, "setgid: %s", strerror(errno));
|
||||
--
|
||||
2.55.0
|
||||
|
||||
@ -1,41 +0,0 @@
|
||||
From 224512b9e62c886fd8d9802bc50a7702c4fe4517 Mon Sep 17 00:00:00 2001
|
||||
From: Pierguido Lambri <plambri@redhat.com>
|
||||
Date: Fri, 30 Jan 2026 14:11:27 +0000
|
||||
Subject: [PATCH 2/3] docs: Enable debug logs
|
||||
|
||||
Documented a new option '-d' to enable debug logs.
|
||||
By default only error logs are enabled, with this new option
|
||||
debug logs can be enabled when needed.
|
||||
|
||||
Signed-off-by: Pierguido Lambri <plambri@redhat.com>
|
||||
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
|
||||
---
|
||||
cifs.upcall.rst.in | 5 ++++-
|
||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/cifs.upcall.rst.in b/cifs.upcall.rst.in
|
||||
index 09d0503591d6..895efc53ef50 100644
|
||||
--- a/cifs.upcall.rst.in
|
||||
+++ b/cifs.upcall.rst.in
|
||||
@@ -11,7 +11,7 @@ Userspace upcall helper for Common Internet File System (CIFS)
|
||||
SYNOPSIS
|
||||
********
|
||||
|
||||
- cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l]
|
||||
+ cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] [--debug|-d]
|
||||
[--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf]
|
||||
[--keytab=/path/to/keytab|-K /path/to/keytab] [--expire|-e nsecs] {keyid}
|
||||
|
||||
@@ -38,6 +38,9 @@ OPTIONS
|
||||
-c
|
||||
This option is deprecated and is currently ignored.
|
||||
|
||||
+--debug|-d
|
||||
+ Enable debug logs. By default no debug messages are logged, only errors.
|
||||
+
|
||||
--no-env-probe|-E
|
||||
Normally, ``cifs.upcall`` will probe the environment variable space of
|
||||
the process that initiated the upcall in order to fetch the value of
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -1,8 +1,8 @@
|
||||
## START: Set by rpmautospec
|
||||
## (rpmautospec version 0.6.5)
|
||||
## (rpmautospec version 0.8.4)
|
||||
## RPMAUTOSPEC: autorelease, autochangelog
|
||||
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
|
||||
release_number = 1;
|
||||
release_number = 2;
|
||||
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
|
||||
print(release_number + base_release_number - 1);
|
||||
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
|
||||
@ -14,7 +14,7 @@
|
||||
%global bash_completion_dir %(pkg-config --variable=completionsdir bash-completion || echo /etc/bash_completion.d)
|
||||
|
||||
Name: cifs-utils
|
||||
Version: 7.5
|
||||
Version: 7.6
|
||||
Release: %autorelease
|
||||
Summary: Utilities for mounting and managing CIFS mounts
|
||||
|
||||
@ -34,9 +34,8 @@ Recommends: %{name}-info%{?_isa} = %{version}-%{release}
|
||||
|
||||
Source0: https://download.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}.tar.bz2
|
||||
|
||||
Patch0: cifs.upcall-add-option-to-enable-debug-logs.patch
|
||||
Patch1: docs-Enable-debug-logs.patch
|
||||
Patch2: cifs.upcall-Adjust-log-level.patch
|
||||
Patch0: cifs.upcall-fix-compiler-warning-with-Wvla.patch
|
||||
Patch1: cifs.upcall-fix-regression-with-krb5-creduid.patch
|
||||
|
||||
%description
|
||||
The SMB/CIFS protocol is a standard file sharing protocol widely deployed
|
||||
@ -144,11 +143,18 @@ about CIFS mount.
|
||||
|
||||
%changelog
|
||||
## START: Generated by rpmautospec
|
||||
* Wed Feb 04 2026 Paulo Alcantara <paalcant@redhat.com> - 7.5-1
|
||||
- resolves: RHEL-146305 - Enable debug logs in cifs.upcall
|
||||
* Tue Jul 07 2026 Paulo Alcantara <paalcant@redhat.com> - 7.6-2
|
||||
- resolves: RHEL-192982 - fix krb5 mount regression
|
||||
|
||||
* Wed Jun 24 2026 Paulo Alcantara <paalcant@redhat.com> - 7.6-1
|
||||
- Update to version 7.6
|
||||
- resolves: RHEL-185761 - CVE-2026-12505 cifs-utils: LPE via cifs.spnego
|
||||
|
||||
* Tue Feb 03 2026 Paulo Alcantara <paalcant@redhat.com> - 7.5-1
|
||||
- resolves: RHEL-127499 - Enable debug logs in cifs.upcall
|
||||
|
||||
* Wed Nov 26 2025 Paulo Alcantara <paalcant@redhat.com> - 7.4-1
|
||||
- resolves: RHEL-131406 - fix regression with cifscreds(1)
|
||||
- resolves: RHEL-110765 - fix regression with cifscreds(1)
|
||||
|
||||
* Fri Mar 07 2025 Paulo Alcantara <paalcant@redhat.com> - 7.2-1
|
||||
- resolves: RHEL-82680 - Update to version 7.2
|
||||
|
||||
Loading…
Reference in New Issue
Block a user