Compare commits

..

1 Commits
c8 ... c10-beta

Author SHA1 Message Date
AlmaLinux RelEng Bot
12e32295cd import CS cifs-utils-7.5-1.el10 2026-04-14 05:59:46 -04:00
14 changed files with 302 additions and 961 deletions

View File

@ -1 +0,0 @@
9df055a73d89ed3d536828d0cea304c9e04139d4 SOURCES/cifs-utils-7.0.tar.bz2

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/cifs-utils-7.0.tar.bz2
cifs-utils-7.5.tar.bz2

View File

@ -1,55 +0,0 @@
From 17162396d9ace9396c27826f1c62719186e29ae9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Fri, 20 Jan 2023 20:53:44 +0100
Subject: [PATCH] Use explicit #!/usr/bin/python3
---
checkopts | 2 +-
smb2-quota | 2 +-
smb2-secdesc | 2 +-
smbinfo | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/checkopts b/checkopts
index 88e70b1..00c4cfd 100755
--- a/checkopts
+++ b/checkopts
@@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#!/usr/bin/python3
#
# Script to check for inconsistencies between documented mount options
# and implemented kernel options.
diff --git a/smb2-quota b/smb2-quota
index 6d0b8a3..49207c7 100755
--- a/smb2-quota
+++ b/smb2-quota
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/python3
# coding: utf-8
#
# smb2-quota is a cmdline tool to display quota information for the
diff --git a/smb2-secdesc b/smb2-secdesc
index 5886091..534dd92 100755
--- a/smb2-secdesc
+++ b/smb2-secdesc
@@ -1,4 +1,4 @@
-#!/usr/bin/env python
+#!/usr/bin/python3
# coding: utf-8
import array
diff --git a/smbinfo b/smbinfo
index 73c5bb3..766024e 100755
--- a/smbinfo
+++ b/smbinfo
@@ -1,4 +1,4 @@
-#!/usr/bin/env python3
+#!/usr/bin/python3
# -*- coding: utf-8 -*-
#
# smbinfo is a cmdline tool to query SMB-specific file and fs
--
2.38.1

View File

@ -1,46 +0,0 @@
From d2f39a20d68aa55023b63e575f06941721e644c6 Mon Sep 17 00:00:00 2001
From: Paulo Alcantara <pc@manguebit.org>
Date: Tue, 23 Jun 2026 15:06:20 -0300
Subject: [PATCH] cifs.upcall: fix compiler warning with -Wvla
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The length value for @path array in get_uidgid() needs to be evaluated
at compile time, so replace strlen() with sizeof() when defining
PROC_PID_PATH_MAXLEN and then fix the following warning:
cifs.upcall.c: In function get_uidgid:
cifs.upcall.c:1400:9: warning: ISO C90 forbids array path whose size
cannot be evaluated [-Wvla]
1400 | char path[PROC_PID_PATH_MAXLEN] = {}, buf[256];
| ^~~~
Fixes: 972c5b5ff95e ("cifs.upcall: remove getpwuid() dependency")
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Reviewed-by: David Howells <dhowells@redhat.com>
Cc: Enzo Matsumiya <ematsumiya@suse.de>
Cc: linux-cifs@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
---
cifs.upcall.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/cifs.upcall.c b/cifs.upcall.c
index 01690dfcade1..11dbc6186a74 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -1375,8 +1375,8 @@ static int ip_to_fqdn(const char *addrstr, char *host, size_t hostlen)
return 0;
}
-/* cover worst case/impossible scenarios, + 1 for NUL */
-#define PROC_PID_PATH_MAXLEN ((int)strlen("/proc/2147483647/status") + 1)
+/* cover worst case/impossible scenarios */
+#define PROC_PID_PATH_MAXLEN ((int)sizeof("/proc/2147483647/status"))
/* max valid UID/GID is (UINT_MAX - 1) */
#define INVALID_UIDGID UINT_MAX
--
2.54.0

View File

@ -1,383 +0,0 @@
From e9495963e0d5c26f7d0137829d8dc625130b53cc Mon Sep 17 00:00:00 2001
From: Enzo Matsumiya <ematsumiya@suse.de>
Date: Mon, 6 Jul 2026 10:55:55 -0300
Subject: [PATCH] cifs.upcall: fix regression with krb5 + creduid
Commit 972c5b5ff95e ("cifs.upcall: remove getpwuid() dependency")
introduced a regression when using creduid != uid (e.g.
"mount.cifs -o sec=krb5,cruid=X"), so 'uid' local var is replaced
with procfs "Uid" value (in the example, the one from mount.cifs).
That commit ignored the fact that:
mount UID can be different from creds UID, and that calling-app
process (post-mount) can be different from both
This patch "reverts" 972c5b5ff95e ("cifs.upcall: remove getpwuid()
dependency"); transform the "emergency"-added function get_uidgid()
into map_uidgid(), now only used to do NS UID/GID mapping.
Also add getpwuid() back, but this time called while still on host
namespace, so any possible custom NSS module is ran as allowed by
sysadmin.
Any scenario involving unmapped UIDs or GIDs is unsupported; this
means that any UID:GID in a child user namespace _must_ map back to
a valid and existing host UID:GID.
Fixes: 972c5b5ff95e ("cifs.upcall: remove getpwuid() dependency")
Reported-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
cifs.upcall.c | 279 ++++++++++++++++++++++++++++++++------------------
1 file changed, 177 insertions(+), 102 deletions(-)
Index: cifs-utils-7.0/cifs.upcall.c
===================================================================
--- cifs-utils-7.0.orig/cifs.upcall.c
+++ cifs-utils-7.0/cifs.upcall.c
@@ -52,6 +52,7 @@
#include <arpa/inet.h>
#include <ctype.h>
#include <grp.h>
+#include <pwd.h>
#include <stdbool.h>
#include <errno.h>
#include <sched.h>
@@ -1264,118 +1265,170 @@ static int ip_to_fqdn(const char *addrst
return 0;
}
-/* cover worst case/impossible scenarios */
-#define PROC_PID_PATH_MAXLEN ((int)sizeof("/proc/2147483647/status"))
-/* max valid UID/GID is (UINT_MAX - 1) */
-#define INVALID_UIDGID UINT_MAX
+#define ID_MAP_PATH_MAX ((int)sizeof("/proc/2147483647/uid_map"))
-/*
- * get_uidgid - Get @pid's (real) UID and/or GID.
- * @pid: process to get UID/GID from
- * @uidp: pointer to store @pid's UID (can be NULL)
- * @gidp: pointer to store @pid's GID (can be NULL)
- *
- * Extract "Uid:" and "Gid:" fields from /proc/@pid/status.
- * Do so based on whether @uidp or @gidp are NULL.
- *
- * This function assumes we're on the same namespace as @pid.
- *
- * Return: 0 on success, -1 otherwise (errno set).
- *
- * On errors, *@uidp and *@gidp are set to INVALID_UIDGID.
- */
-static int get_uidgid(pid_t pid, uid_t *uidp, gid_t *gidp)
+static int map_id(pid_t pid, const char *map, unsigned int *idp)
{
- char path[PROC_PID_PATH_MAXLEN] = {}, buf[256];
+ unsigned long long ns_start, host_start, range;
+ char map_path[ID_MAP_PATH_MAX];
+ int map_path_size = sizeof(map_path);
+ unsigned int id;
FILE *fp = NULL;
- int ret;
+ int ret = 1;
- errno = 0;
- if (pid < 0 || (!uidp && !gidp)) {
- errno = EINVAL;
- return -1;
- }
-
- if (uidp)
- *uidp = INVALID_UIDGID;
-
- if (gidp)
- *gidp = INVALID_UIDGID;
+ errno = EINVAL;
+ if (pid < 0 || !map || !idp || *idp == UINT_MAX)
+ goto out;
- ret = snprintf(path, PROC_PID_PATH_MAXLEN, "/proc/%d/status", pid);
- if (ret < 0 || ret >= PROC_PID_PATH_MAXLEN) {
- if (!errno)
+ ret = snprintf(map_path, map_path_size, "/proc/%d/%s", pid, map);
+ if (ret < 0 || ret >= map_path_size) {
+ if (ret >= map_path_size)
errno = ENAMETOOLONG;
- return -1;
+ ret = 1;
+ goto out;
}
- fp = fopen(path, "r");
- if (!fp) {
- ret = -1;
+ ret = 1;
+ fp = fopen(map_path, "r");
+ if (!fp)
goto out;
- }
- /* Parse /proc/pid/status fields */
- errno = 0;
- ret = -1;
- while (fgets(buf, 256, fp)) {
- unsigned long long val;
+ /*
+ * The map files have the same format:
+ * <NS ID start> <host ID start> <range>
+ * ... (<multiple entries are supported) ...
+ *
+ * Formula and validation:
+ * <final NS ID> = (*@idp - <host ID start>) + <NS ID start>
+ *
+ * - IDs: [0, UINT_MAX - 1]
+ * - range: [1, UINT_MAX], where range == UINT_MAX requires both ID ranges to start at 0,
+ * which then means this is an init host NS mapping (and that's ok)
+ *
+ * The formula itself would be enough to "validate" a matching NS ID, but we don't want to
+ * keep parsing a malformed map file, no matter how unlikely/impossible it is to happen.
+ * Same reason values are parsed as 'unsigned long long', so we can check for bogus data.
+ */
+ id = UINT_MAX;
+ errno = ENODATA;
+ while (fscanf(fp, "%llu %llu %llu", &ns_start, &host_start, &range) == 3) {
+ if (ns_start >= UINT_MAX || host_start >= UINT_MAX ||
+ range > UINT_MAX || range == 0) {
+ errno = EINVAL;
+ ret = 1;
+ break;
+ }
- errno = ENODATA;
- if ((!uidp || strncmp(buf, "Uid:", 4)) && (!gidp || strncmp(buf, "Gid:", 4)))
- continue;
+ if (range == UINT_MAX && (ns_start != 0 || host_start != 0)) {
+ errno = EINVAL;
+ ret = 1;
+ break;
+ }
- errno = 0;
+ if (host_start + range > UINT_MAX || ns_start + range > UINT_MAX) {
+ errno = EINVAL;
+ ret = 1;
+ break;
+ }
/*
- * Example line format (same for both Uid/Gid):
- * "Uid:\t%u\t%u\%u\%u"
+ * Check if host ID fits this line.
+ * Our desired NS ID may be in any line of the file.
*
- * Where the numbers represents:
- * <real> <effective> <saved> <fsuid>
+ * Note: new{uid,gid}map tools (that creates the map files) don't allow multiple
+ * maps (NS IDs) to the same host ID.
*
- * We're only interested in the <real> value.
+ * If we get a match here, we'll save it, but we continue parsing the file.
+ * If we happen to find a duplicate, it's possible this is a rogue file trying to
+ * bypass these checks.
*
- * (field names "Uid:"/"Gid:" parsed above, skip it)
+ * In such cases, discard the match and return EOPNOTSUPP, as returning a
+ * successful match could lead to disastrous results.
*/
- ret = sscanf(&buf[0] + 4, "%llu", &val);
- if (ret != 1) {
- ret = -1;
- if (errno)
+ if (*idp >= host_start && *idp < host_start + range) {
+ /* This means we found a duplicate */
+ if (!ret) {
+ ret = 1;
+ errno = EOPNOTSUPP;
+ syslog(LOG_ERR, "%s has multiple mapped IDs for %u (unsupported)",
+ map, *idp);
break;
- continue;
- }
-
- ret = -1;
- if (val >= UINT_MAX) {
- errno = EINVAL;
- break;
- }
-
- if (uidp && !strncmp(buf, "Uid:", 4))
- *uidp = (uid_t)val;
- else
- *gidp = (gid_t)val;
+ }
- if ((!uidp || *uidp != INVALID_UIDGID) && (!gidp || *gidp != INVALID_UIDGID)) {
- errno = 0;
+ id = (*idp - host_start) + ns_start;
ret = 0;
- break;
+ errno = 0;
}
}
+
+ /* This means errno was reset by fscanf() without finding anything */
+ if (ret && errno == 0)
+ errno = ENODATA;
out:
- if (fp)
+ if (fp) {
+ int err = errno;
+
fclose(fp);
+ /* Ignore fclose() errors */
+ errno = err;
+ }
- if (ret) {
- syslog(LOG_DEBUG, "%s(pid=%d): %s", __func__, pid, strerror(errno));
- if (uidp)
- *uidp = INVALID_UIDGID;
+ if (!ret) {
+ *idp = id;
+ errno = 0;
+ } else {
+ syslog(LOG_DEBUG, "%s(pid=%d, map=%s, id=%u): %s", __func__, pid, map, *idp,
+ strerror(errno));
+ }
+
+ return ret;
+}
+
+/*
+ * map_uidgid() - Map (real) UID/GID from init host NS to user NS.
+ * @pid: host NS PID
+ * @uidp: (in) host UID, (out) NS UID
+ * @gidp: (in) host GID, (out) NS GID
+ *
+ * Parse /proc/@pid/{uid,gid}_map files to get NS UID/GID values.
+ * Since @pid is expected to be a host NS PID, this must be called before switching namespaces.
+ *
+ * Note: we can't use /proc/self here because we haven't switched NS yet, so {uid,gid}_map files
+ * would contain host NS values.
+ *
+ * Return: 0 on success, 1 otherwise (errno set).
+ */
+static int map_uidgid(pid_t pid, uid_t *uidp, gid_t *gidp)
+{
+ uid_t orig_uid;
+ gid_t orig_gid;
+ int ret = 1;
+
+ errno = EINVAL;
+ if (!uidp || !gidp)
+ goto out;
+
+ orig_uid = *uidp;
+ orig_gid = *gidp;
- if (gidp)
- *gidp = INVALID_UIDGID;
+ ret = map_id(pid, "uid_map", uidp);
+ if (ret) {
+ if (errno == ENODATA)
+ syslog(LOG_ERR, "UID %u not mapped in this namespace (unsupported)",
+ orig_uid);
+ goto out;
}
+ ret = map_id(pid, "gid_map", gidp);
+ if (ret && errno == ENODATA)
+ syslog(LOG_ERR, "GID %u not mapped in this namespace (unsupported)",
+ orig_gid);
+out:
+ if (ret && errno != ENODATA)
+ syslog(LOG_ERR, "%s: %s", __func__, strerror(errno));
+ else if (!ret)
+ syslog(LOG_DEBUG, "host %u:%u -> NS %u:%u", orig_uid, orig_gid, *uidp, *gidp);
+
return ret;
}
@@ -1421,6 +1474,7 @@ int main(const int argc, char *const arg
const char *oid;
uid_t uid;
gid_t gid;
+ struct passwd *pw;
char *keytab_name = NULL;
char *env_cachename = NULL;
krb5_ccache ccache = NULL;
@@ -1561,39 +1615,60 @@ int main(const int argc, char *const arg
}
/*
- * Change to the process's namespace. This means that things will work
- * acceptably in containers, because we'll be looking at the correct
- * filesystem and have the correct network configuration.
+ * 'uid' always points to a host UID, so we must get the corresponding host GID.
+ * It's safe to call getpwuid() here because we're still on host NS, i.e. caller
+ * application has no control over custom NSS modules.
+ *
+ * FIXME: if UID is from another NS, or a subuid, this will fail on mount.
*/
- rc = switch_to_process_ns(arg->pid);
- if (rc == -1) {
- syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno));
+ errno = 0;
+ pw = getpwuid(uid);
+ if (!pw) {
+ syslog(LOG_ERR, "failed to retrieve GID from UID %u: %s", uid,
+ strerror(errno ? errno : ENOENT));
rc = 1;
goto out;
}
- if (trim_capabilities(env_probe))
- goto out;
+ gid = pw->pw_gid;
/*
* We can't reasonably do this for root. When mounting a DFS share,
* for instance we can end up with creds being overridden, but the env
* variable left intact.
+ *
+ * Always check this before NS UID mapping.
*/
if (uid == 0)
env_probe = false;
/*
- * FIXME: this only works if we haven't switched PID namespaces.
- * If we did, /proc/arg->pid/ might not exist, or worse, point to something else.
+ * Map host 'uid' and 'gid' to the target user NS.
+ *
+ * Any scenario that involves unmapped UIDs or primary GIDs is not supported -- we
+ * don't have, and can't find, all the info that would be necessary to find a
+ * UID/GID within all the possible NS combinations.
*/
- rc = get_uidgid(arg->pid, &uid, &gid);
- if (rc) {
- syslog(LOG_ERR, "get_uidgid (NS): %s", strerror(errno));
+ if (!in_same_user_ns(arg->pid, getpid())) {
+ rc = map_uidgid(arg->pid, &uid, &gid);
+ if (rc)
+ goto out;
+ }
+ /*
+ * Change to the process's namespace. This means that things will work
+ * acceptably in containers, because we'll be looking at the correct
+ * filesystem and have the correct network configuration.
+ */
+ rc = switch_to_process_ns(arg->pid);
+ if (rc == -1) {
+ syslog(LOG_ERR, "unable to switch to process namespace: %s", strerror(errno));
rc = 1;
goto out;
}
+ if (trim_capabilities(env_probe))
+ goto out;
+
rc = setgid(gid);
if (rc) {
syslog(LOG_ERR, "setgid: %s", strerror(errno));

View File

@ -1,251 +0,0 @@
From 972c5b5ff95e3e812bc8daa72d0383654ab0dba7 Mon Sep 17 00:00:00 2001
From: Enzo Matsumiya <ematsumiya@suse.de>
Date: Mon, 15 Jun 2026 14:25:22 -0300
Subject: [PATCH] cifs.upcall: remove getpwuid() dependency
This patch removes getpwuid() and resort to getting UID/GID from
/proc/pid/status
Changes:
- add get_uidgid() helper
- drop supplementary groups (i.e. move setgroups(0, NULL)) before even
decoding spnego key -- those are never needed in any case
Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
Reported-by: Shaomin Chen <eeesssooo020@gmail.com>
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Acked-by: Pavel Shilovskiy <pshilovskiy@microsoft.com>
Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
---
cifs.upcall.c | 180 ++++++++++++++++++++++++++++++++++++++++----------
1 file changed, 145 insertions(+), 35 deletions(-)
diff --git a/cifs.upcall.c b/cifs.upcall.c
index 52c03280dbe0..ae3294dd61f0 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -51,7 +51,6 @@
#include <netdb.h>
#include <arpa/inet.h>
#include <ctype.h>
-#include <pwd.h>
#include <grp.h>
#include <stdbool.h>
#include <errno.h>
@@ -1265,6 +1264,121 @@ static int ip_to_fqdn(const char *addrstr, char *host, size_t hostlen)
return 0;
}
+/* cover worst case/impossible scenarios, + 1 for NUL */
+#define PROC_PID_PATH_MAXLEN ((int)strlen("/proc/2147483647/status") + 1)
+/* max valid UID/GID is (UINT_MAX - 1) */
+#define INVALID_UIDGID UINT_MAX
+
+/*
+ * get_uidgid - Get @pid's (real) UID and/or GID.
+ * @pid: process to get UID/GID from
+ * @uidp: pointer to store @pid's UID (can be NULL)
+ * @gidp: pointer to store @pid's GID (can be NULL)
+ *
+ * Extract "Uid:" and "Gid:" fields from /proc/@pid/status.
+ * Do so based on whether @uidp or @gidp are NULL.
+ *
+ * This function assumes we're on the same namespace as @pid.
+ *
+ * Return: 0 on success, -1 otherwise (errno set).
+ *
+ * On errors, *@uidp and *@gidp are set to INVALID_UIDGID.
+ */
+static int get_uidgid(pid_t pid, uid_t *uidp, gid_t *gidp)
+{
+ char path[PROC_PID_PATH_MAXLEN] = {}, buf[256];
+ FILE *fp = NULL;
+ int ret;
+
+ errno = 0;
+ if (pid < 0 || (!uidp && !gidp)) {
+ errno = EINVAL;
+ return -1;
+ }
+
+ if (uidp)
+ *uidp = INVALID_UIDGID;
+
+ if (gidp)
+ *gidp = INVALID_UIDGID;
+
+ ret = snprintf(path, PROC_PID_PATH_MAXLEN, "/proc/%d/status", pid);
+ if (ret < 0 || ret >= PROC_PID_PATH_MAXLEN) {
+ if (!errno)
+ errno = ENAMETOOLONG;
+ return -1;
+ }
+
+ fp = fopen(path, "r");
+ if (!fp) {
+ ret = -1;
+ goto out;
+ }
+
+ /* Parse /proc/pid/status fields */
+ errno = 0;
+ ret = -1;
+ while (fgets(buf, 256, fp)) {
+ unsigned long long val;
+
+ errno = ENODATA;
+ if ((!uidp || strncmp(buf, "Uid:", 4)) && (!gidp || strncmp(buf, "Gid:", 4)))
+ continue;
+
+ errno = 0;
+
+ /*
+ * Example line format (same for both Uid/Gid):
+ * "Uid:\t%u\t%u\%u\%u"
+ *
+ * Where the numbers represents:
+ * <real> <effective> <saved> <fsuid>
+ *
+ * We're only interested in the <real> value.
+ *
+ * (field names "Uid:"/"Gid:" parsed above, skip it)
+ */
+ ret = sscanf(&buf[0] + 4, "%llu", &val);
+ if (ret != 1) {
+ ret = -1;
+ if (errno)
+ break;
+ continue;
+ }
+
+ ret = -1;
+ if (val >= UINT_MAX) {
+ errno = EINVAL;
+ break;
+ }
+
+ if (uidp && !strncmp(buf, "Uid:", 4))
+ *uidp = (uid_t)val;
+ else
+ *gidp = (gid_t)val;
+
+ if ((!uidp || *uidp != INVALID_UIDGID) && (!gidp || *gidp != INVALID_UIDGID)) {
+ errno = 0;
+ ret = 0;
+ break;
+ }
+ }
+out:
+ if (fp)
+ fclose(fp);
+
+ if (ret) {
+ syslog(LOG_DEBUG, "%s(pid=%d): %s", __func__, pid, strerror(errno));
+ if (uidp)
+ *uidp = INVALID_UIDGID;
+
+ if (gidp)
+ *gidp = INVALID_UIDGID;
+ }
+
+ return ret;
+}
+
/* walk a string and lowercase it in-place */
static void
lowercase_string(char *c)
@@ -1306,10 +1420,10 @@ int main(const int argc, char *const argv[])
struct decoded_args *arg = NULL;
const char *oid;
uid_t uid;
+ gid_t gid;
char *keytab_name = NULL;
char *env_cachename = NULL;
krb5_ccache ccache = NULL;
- struct passwd *pw;
unsigned expire_time = DNS_RESOLVER_DEFAULT_TIMEOUT;
const char *key_descr = NULL;
@@ -1396,6 +1510,17 @@ int main(const int argc, char *const argv[])
* Otherwise, it's a spnego key request
*/
+ /*
+ * We don't need supplementary groups, ever.
+ * Drop them ASAP.
+ */
+ rc = setgroups(0, NULL);
+ if (rc == -1) {
+ syslog(LOG_ERR, "setgroups: %s", strerror(errno));
+ rc = 1;
+ goto out;
+ }
+
rc = decode_key_description(buf, &arg);
free(buf);
if (rc) {
@@ -1450,38 +1575,6 @@ int main(const int argc, char *const argv[])
if (trim_capabilities(env_probe))
goto out;
- /*
- * The kernel doesn't pass down the gid, so we resort here to scraping
- * one out of the passwd nss db. Note that this might not reflect the
- * actual gid of the process that initiated the upcall. While we could
- * scrape that out of /proc, relying on that is a bit more risky.
- */
- pw = getpwuid(uid);
- if (!pw) {
- syslog(LOG_ERR, "Unable to find pw entry for uid %d: %s\n",
- uid, strerror(errno));
- rc = 1;
- goto out;
- }
-
- /*
- * The kernel should send down a zero-length grouplist already, but
- * just to be on the safe side...
- */
- rc = setgroups(0, NULL);
- if (rc == -1) {
- syslog(LOG_ERR, "setgroups: %s", strerror(errno));
- rc = 1;
- goto out;
- }
-
- rc = setgid(pw->pw_gid);
- if (rc == -1) {
- syslog(LOG_ERR, "setgid: %s", strerror(errno));
- rc = 1;
- goto out;
- }
-
/*
* We can't reasonably do this for root. When mounting a DFS share,
* for instance we can end up with creds being overridden, but the env
@@ -1490,6 +1583,24 @@ int main(const int argc, char *const argv[])
if (uid == 0)
env_probe = false;
+ /*
+ * FIXME: this only works if we haven't switched PID namespaces.
+ * If we did, /proc/arg->pid/ might not exist, or worse, point to something else.
+ */
+ rc = get_uidgid(arg->pid, &uid, &gid);
+ if (rc) {
+ syslog(LOG_ERR, "get_uidgid (NS): %s", strerror(errno));
+ rc = 1;
+ goto out;
+ }
+
+ rc = setgid(gid);
+ if (rc) {
+ syslog(LOG_ERR, "setgid: %s", strerror(errno));
+ rc = 1;
+ goto out;
+ }
+
/*
* Must do this before setuid, as we need elevated capabilities to
* look at the environ file.

View File

@ -1,35 +0,0 @@
From 4d87803f386764ed0b5949ccf70fc684b744b83a Mon Sep 17 00:00:00 2001
From: Paulo Alcantara <pc@manguebit.org>
Date: Tue, 25 Nov 2025 17:58:29 -0300
Subject: [PATCH] docs: update echo_interval description
It is '3 * echo_interval' since upstream commit f2caf901c1b7 ("cifs:
Fix a race condition with cifs_echo_request").
Reported-by: Alexandros Panagiotou <apanagio@redhat.com>
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
Cc: Steve French <smfrench@gmail.com>
Cc: linux-cifs@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
---
mount.cifs.rst | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/mount.cifs.rst b/mount.cifs.rst
index 9eee7d5afc06..52fe492a5d37 100644
--- a/mount.cifs.rst
+++ b/mount.cifs.rst
@@ -484,8 +484,8 @@ echo_interval=n
sets the interval at which echo requests are sent to the server on an
idling connection. This setting also affects the time required for a
connection to an unresponsive server to timeout. Here n is the echo
- interval in seconds. The reconnection happens at twice the value of the
- echo_interval set for an unresponsive server.
+ interval in seconds. The reconnection happens at three times the
+ value of the echo_interval set for an unresponsive server.
If this option is not given then the default value of 60 seconds is used.
The minimum tunable value is 1 second and maximum can go up to 600 seconds.
--
2.53.0

View File

@ -1,49 +0,0 @@
From e7ec0032898d855be144c0cdc9d9e3f78ae01bf2 Mon Sep 17 00:00:00 2001
From: Paulo Alcantara <pc@manguebit.com>
Date: Sun, 10 Mar 2024 22:24:24 -0300
Subject: [PATCH 1/2] mount.cifs.rst: add missing reference for sssd
Reference sssd in mount.cifs(8) as it can be used instead of winbind
via cifs.idmap utility. It's also enabled by default in most systems.
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
---
mount.cifs.rst | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/mount.cifs.rst b/mount.cifs.rst
index 3becf200e038..64127b23cf17 100644
--- a/mount.cifs.rst
+++ b/mount.cifs.rst
@@ -773,10 +773,10 @@ specified in the following Microsoft TechNet document:
In order to map SIDs to/from UIDs and GIDs, the following is required:
- a kernel upcall to the ``cifs.idmap`` utility set up via request-key.conf(5)
-- winbind support configured via nsswitch.conf(5) and smb.conf(5)
+- winbind or sssd support configured via nsswitch.conf(5)
-Please refer to the respective manpages of cifs.idmap(8) and
-winbindd(8) for more information.
+Please refer to the respective manpages of cifs.idmap(8), winbindd(8)
+and sssd(8) for more information.
Security descriptors for a file object can be retrieved and set
directly using extended attribute named ``system.cifs_acl``. The
@@ -792,10 +792,10 @@ Some of the things to consider while using this mount option:
- The mapping between a CIFS/NTFS ACL and POSIX file permission bits
is imperfect and some ACL information may be lost in the
translation.
-- If either upcall to cifs.idmap is not setup correctly or winbind is
- not configured and running, ID mapping will fail. In that case uid
- and gid will default to either to those values of the share or to
- the values of uid and/or gid mount options if specified.
+- If either upcall to cifs.idmap is not setup correctly or winbind or
+ sssd is not configured and running, ID mapping will fail. In that
+ case uid and gid will default to either to those values of the share
+ or to the values of uid and/or gid mount options if specified.
**********************************
ACCESSING FILES WITH BACKUP INTENT
--
2.44.0

View File

@ -1,59 +0,0 @@
From 4718e09e4b15b957bf9d729793bc3de7caad8134 Mon Sep 17 00:00:00 2001
From: Paulo Alcantara <pc@manguebit.com>
Date: Sun, 10 Mar 2024 22:24:25 -0300
Subject: [PATCH 2/2] mount.cifs.rst: update section about xattr/acl support
Update section about required xattr/acl support for UID/GID mapping.
Signed-off-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
---
mount.cifs.rst | 26 +++++++++++++++++++-------
1 file changed, 19 insertions(+), 7 deletions(-)
diff --git a/mount.cifs.rst b/mount.cifs.rst
index 64127b23cf17..d82a13c932b3 100644
--- a/mount.cifs.rst
+++ b/mount.cifs.rst
@@ -321,11 +321,12 @@ soft
noacl
Do not allow POSIX ACL operations even if server would support them.
- The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to Samba
- servers version 3.0.10 and later. Setting POSIX ACLs requires enabling
- both ``CIFS_XATTR`` and then ``CIFS_POSIX`` support in the CIFS
- configuration options when building the cifs module. POSIX ACL support
- can be disabled on a per mount basis by specifying ``noacl`` on mount.
+ The CIFS client can get and set POSIX ACLs (getfacl, setfacl) to
+ Samba servers version 3.0.10 and later. Setting POSIX ACLs requires
+ enabling both ``CONFIG_CIFS_XATTR`` and then ``CONFIG_CIFS_POSIX``
+ support in the CIFS configuration options when building the cifs
+ module. POSIX ACL support can be disabled on a per mount basis by
+ specifying ``noacl`` on mount.
cifsacl
This option is used to map CIFS/NTFS ACLs to/from Linux permission
@@ -762,8 +763,19 @@ bits, and POSIX ACL as user authentication model. This is the most
common authentication model for CIFS servers and is the one used by
Windows.
-Support for this requires both CIFS_XATTR and CIFS_ACL support in the
-CIFS configuration options when building the cifs module.
+Support for this requires cifs kernel module built with both
+``CONFIG_CIFS_XATTR`` and ``CONFIG_CIFS_ACL`` options enabled. Since
+Linux 5.3, ``CONFIG_CIFS_ACL`` option no longer exists as CIFS/NTFS
+ACL support is always built into cifs kernel module.
+
+Most distribution kernels will already have those options enabled by
+default, but you can still check if they are enabled with::
+
+ cat /lib/modules/$(uname -r)/build/.config
+
+Alternatively, if kernel is configured with ``CONFIG_IKCONFIG_PROC``::
+
+ zcat /proc/config.gz
A CIFS/NTFS ACL is mapped to file permission bits using an algorithm
specified in the following Microsoft TechNet document:
--
2.44.0

View File

@ -1,30 +1,42 @@
## START: Set by rpmautospec
## (rpmautospec version 0.6.5)
## RPMAUTOSPEC: autorelease, autochangelog
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
release_number = 1;
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
print(release_number + base_release_number - 1);
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
## END: Set by rpmautospec
#% define pre_release rc1
%define pre_release %nil
%global bash_completion_dir %(pkg-config --variable=completionsdir bash-completion || echo /etc/bash_completion.d)
Name: cifs-utils
Version: 7.0
Release: 5%{pre_release}%{?dist}
Version: 7.5
Release: %autorelease
Summary: Utilities for mounting and managing CIFS mounts
Group: System Environment/Daemons
License: GPLv3
License: GPL-3.0-only
URL: http://linux-cifs.samba.org/cifs-utils/
BuildRequires: libcap-ng-devel libtalloc-devel krb5-devel keyutils-libs-devel autoconf automake libwbclient-devel pam-devel
BuildRequires: python3-docutils
BuildRequires: gcc
BuildRequires: libcap-ng-devel libtalloc-devel krb5-devel keyutils-libs-devel autoconf automake libwbclient-devel pam-devel
BuildRequires: python3-docutils
BuildRequires: make
Requires: keyutils
Requires(post): /usr/sbin/alternatives
Requires(preun): /usr/sbin/alternatives
Recommends: %{name}-info%{?_isa} = %{version}-%{release}
Source0: https://download.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}.tar.bz2
Patch1: 0001-Use-explicit-usr-bin-python3.patch
Patch2: mount.cifs.rst-add-missing-reference-for-sssd.patch
Patch3: mount.cifs.rst-update-section-about-xattr-acl-suppor.patch
Patch4: docs-update-echo_interval-description.patch
Patch5: cifs.upcall-remove-getpwuid-dependency.patch
Patch6: cifs.upcall-fix-compiler-warning-with-Wvla.patch
Patch7: cifs.upcall-fix-regression-with-krb5-creduid.patch
Patch0: cifs.upcall-add-option-to-enable-debug-logs.patch
Patch1: docs-Enable-debug-logs.patch
Patch2: cifs.upcall-Adjust-log-level.patch
%description
The SMB/CIFS protocol is a standard file sharing protocol widely deployed
@ -36,7 +48,6 @@ file system.
%package devel
Summary: Files needed for building plugins for cifs-utils
Group: Development/Libraries
%description devel
The SMB/CIFS protocol is a standard file sharing protocol widely deployed
@ -45,7 +56,6 @@ necessary for building ID mapping plugins for cifs-utils.
%package -n pam_cifscreds
Summary: PAM module to manage NTLM credentials in kernel keyring
Group: System Environment/Base
%description -n pam_cifscreds
The pam_cifscreds PAM module is a tool for automatically adding
@ -58,16 +68,10 @@ for each user from somewhere. The pam_cifscreds module can be used to
provide these credentials to the kernel automatically at login.
%prep
%setup -q -n %{name}-%{version}%{pre_release}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%autosetup -n %{name}-%{version}%{pre_release} -p1
%build
grep -F -r -l '/usr/bin/env python' | xargs --no-run-if-empty -n1 sed -i 's@/usr/bin/env python.*@%python3@g'
autoreconf -i
%configure --prefix=/usr ROOTSBINDIR=%{_sbindir}
make %{?_smp_mflags}
@ -79,42 +83,40 @@ mkdir -p %{buildroot}%{_sysconfdir}/%{name}
mkdir -p %{buildroot}%{_sysconfdir}/request-key.d
install -m 644 contrib/request-key.d/cifs.idmap.conf %{buildroot}%{_sysconfdir}/request-key.d
install -m 644 contrib/request-key.d/cifs.spnego.conf %{buildroot}%{_sysconfdir}/request-key.d
install -Dpm 644 bash-completion/smbinfo %{buildroot}%{_datadir}%{bash_completion_dir}/smbinfo
%files
%defattr(-,root,root,-)
%doc
%license COPYING
%{_bindir}/getcifsacl
%{_bindir}/setcifsacl
%{_bindir}/cifscreds
%{_bindir}/smbinfo
%{_bindir}/smb2-quota
%{_sbindir}/mount.cifs
%{_sbindir}/mount.smb3
%{_sbindir}/cifs.upcall
%{_sbindir}/cifs.idmap
%dir %{_libdir}/%{name}
%{_libdir}/%{name}/idmapwb.so
%{_mandir}/man1/getcifsacl.1.gz
%{_mandir}/man1/setcifsacl.1.gz
%{_mandir}/man1/cifscreds.1.gz
%{_mandir}/man1/smbinfo.1.gz
%{_mandir}/man1/smb2-quota.1.gz
%{_mandir}/man8/cifs.upcall.8.gz
%{_mandir}/man8/cifs.idmap.8.gz
%{_mandir}/man8/mount.cifs.8.gz
%{_mandir}/man8/mount.smb3.8.gz
%{_mandir}/man8/idmapwb.8.gz
%{_mandir}/man1/getcifsacl.*
%{_mandir}/man1/setcifsacl.*
%{_mandir}/man1/cifscreds.*
%{_mandir}/man8/cifs.upcall.*
%{_mandir}/man8/cifs.idmap.*
%{_mandir}/man8/mount.cifs.*
%{_mandir}/man8/mount.smb3.*
%{_mandir}/man8/idmapwb.*
%{_datadir}%{bash_completion_dir}/smbinfo
%dir %{_sysconfdir}/cifs-utils
%ghost %{_sysconfdir}/cifs-utils/idmap-plugin
%config(noreplace) %{_sysconfdir}/request-key.d/cifs.idmap.conf
%config(noreplace) %{_sysconfdir}/request-key.d/cifs.spnego.conf
%post
/usr/sbin/alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/%{name}/idmapwb.so 10
alternatives --install /etc/cifs-utils/idmap-plugin cifs-idmap-plugin %{_libdir}/%{name}/idmapwb.so 10
%preun
if [ $1 = 0 ]; then
/usr/sbin/alternatives --remove cifs-idmap-plugin %{_libdir}/%{name}/idmapwb.so
alternatives --remove cifs-idmap-plugin %{_libdir}/%{name}/idmapwb.so
fi
%files devel
@ -124,56 +126,122 @@ fi
%{_libdir}/security/pam_cifscreds.so
%{_mandir}/man8/pam_cifscreds.8.gz
# This subpackage also serves the purpose of avoiding a Python dependency on
# the main package: https://bugzilla.redhat.com/show_bug.cgi?id=1909288.
%package info
Summary: Additional tools for querying information about CIFS mount
Requires: %{name}%{?_isa} = %{version}-%{release}
%description info
This subpackage includes additional tools for querying information
about CIFS mount.
%files info
%{_bindir}/smb2-quota
%{_bindir}/smbinfo
%{_mandir}/man1/smb2-quota.*
%{_mandir}/man1/smbinfo.*
%changelog
* Tue Jul 7 2026 Paulo Alcantara <paalcant@redhat.com> - 7.0-5
- resolves: RHEL-192933 - fix krb5 mount regression
## START: Generated by rpmautospec
* Wed Feb 04 2026 Paulo Alcantara <paalcant@redhat.com> - 7.5-1
- resolves: RHEL-146310 - Enable debug logs in cifs.upcall
* Thu Jun 25 2026 Paulo Alcantara <paalcant@redhat.com> - 7.0-4
- cifs.upcall: remove getpwuid dependency
- cifs.upcall: fix compiler warning with -Wvla
- Resolves: RHEL-185759 - Fix CVE-2026-12505
* Thu Nov 27 2025 Paulo Alcantara <pc@manguebit.org> - 7.4-1
- resolves: RHEL-131409 - fix regression with cifscreds(1)
* Thu Feb 19 2026 Paulo Alcantara <paalcant@redhat.com> - 7.0-3
- docs: update echo_interval description
- Resolves: RHEL-80397
* Fri Mar 07 2025 Paulo Alcantara <paalcant@redhat.com> - 7.2-1
- resolves: RHEL-82681 - Update to version 7.2
* Thu Jun 13 2024 Paulo Alcantara <paalcant@redhat.com> - 7.0-2
- mount.cifs.rst: add missing reference for sssd
- mount.cifs.rst: update section about xattr/acl support
- Resolves: RHEL-41059
* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 7.1-2
- Bump release for October 2024 mass rebuild:
* Mon Jan 30 2023 Pavel Filipenský <pfilipen@redhat.com> - 7.0-1
- Update to cifs-utils-7.0
- Resolves: rhbz#2163373
* Tue Oct 08 2024 Pavel Filipenský <pfilipensky@samba.org> - 7.1-1
- resolves: RHEL-61731 - Update to version 7.1
* Thu Dec 12 2019 Sachin Prabhu <sprabhu@redhat.com> - 6.8-3
- Add manual gating tests
- docs: cleanup rst formating
- mount.cifs.rst: document new (no)handlecache mount option
- manpage: update mount.cifs manpage with info about rdma option
- checkopts: add python script to cross check mount options
- mount.cifs.rst: document missing options, correct wrong ones
- checkopts: report duplicated options in man page
- mount.cifs.rst: more cleanups
- mount.cifs.rst: document vers=3 mount option
- mount.cifs.rst: document vers=3.02 mount option
- cifs: Allow DNS resolver key to expire
- mount.cifs: be more verbose and helpful regarding mount errors
- Update mount.cifs with vers=default mount option and SMBv3.0.2
- mount.cifs.rst: update vers=3.1.1 option description
- getcifsacl: Do not go to parse_sec_desc if getxattr fails.
- getcifsacl: Improve help usage and add -h option.
- setcifsacl: fix adding ACE when owner sid in unexpected location
- cifs.upcall: fix a compiler warning
- mount.cifs Add various missing parms from the help text
- mount.cifs: add more options to help message
- mount.cifs: detect GMT format of snapshot version
- Update man page for mount.cifs to add new options
- mount.cifs.rst: mention kernel version for snapshots
- Fix authors and maintainers
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 7.0-5
- Bump release for June 2024 mass rebuild
* Tue Jul 17 2018 Alexander Bokovoy <abokovoy@redhat.com> - 6.8-2
- Use Python 3 version of rst2man utility for generating man pages
* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 7.0-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 7.0-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 7.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Thu Feb 23 2023 Pavel Filipenský <pfilipen@redhat.com> - 7.0-1
- SPDX migration
* Wed Feb 01 2023 Pavel Filipenský <pfilipen@redhat.com> - 7.0-1
- Upstream release 7.0
* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 6.15-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 6.15-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Sat Apr 30 2022 Alexander Bokovoy <abokovoy@redhat.com> - 6.15-1
- Upstream release 6.15
- CVE-2022-27239: mount.cifs: fix length check for ip option parsing
- CVE-2022-29869: mount.cifs: fix verbose messages on option parsing
- Fixes: rhbz#2080525
* Wed Feb 02 2022 Alexander Bokovoy <abokovoy@redhat.com> - 6.14-1
- Upstream release 6.14
* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 6.13-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Thu Sep 23 2021 Bruno Wolff III <bruno@wolff.to> - 6.13-3
- Actually use the patches
* Thu Sep 23 2021 Bruno Wolff III <bruno@wolff.to> - 6.13-2
- Pull in a couple of upstream fixes slotted for the next release
- fix regression in kerberos mount
- fix crash when mount point does not exist
* Wed Sep 22 2021 Bruno Wolff III <bruno@wolff.to> - 6.13-1
- Fix for CVE-2021-20208: cifs.upcall kerberos auth leak in container
- get/setcifsacl tools are improved to support changing owner, group and SACLs
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 6.11-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 6.11-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Fri Dec 18 2020 Jonathan Lebon <jonathan@jlebon.com> - 6.11-2
- Split out -info subpackage for smb2-quota and smbinfo
https://bugzilla.redhat.com/show_bug.cgi?id=1909288
* Mon Nov 02 2020 Alexander Bokovoy <abokovoy@redhat.com> - 6.11-1
- Update to v6.11 release
- Resolves: rhbz#1876400 - CVE-2020-14342 - cifs-utils: shell command injection
* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 6.9-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 6.9-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 6.9-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Sun Apr 21 2019 Jeff Layton <jlayton@redhat.com>- 6.9-1
- Update to v6.9 release
* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 6.8-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Tue Jul 17 2018 Alexander Bokovoy <abokovoy@redhat.com> - 6.8-3
- Use Python 3 version of rst2man
* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue Apr 10 2018 Fedora Release Engineering <releng@fedoraproject.org> - 6.8-1
- update to 6.8 release
@ -424,3 +492,4 @@ fi
* Mon Feb 08 2010 Jeff Layton <jlayton@redhat.com> 4.0a1-1
- first RPM package build
## END: Generated by rpmautospec

View File

@ -0,0 +1,41 @@
From 927123ede36fab4a68aea6f6a3495ad909430ed1 Mon Sep 17 00:00:00 2001
From: Pierguido Lambri <plambri@redhat.com>
Date: Fri, 30 Jan 2026 14:11:28 +0000
Subject: [PATCH 3/3] cifs.upcall: Adjust log level
Because now only error message are logged, let's switch some messages
from DEBUG to ERROR level.
This will help see when an error occurred with cifs.upcall and
eventually turn on the debug mode.
Signed-off-by: Pierguido Lambri <plambri@redhat.com>
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
---
cifs.upcall.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/cifs.upcall.c b/cifs.upcall.c
index b57a48c743e4..9d0eecf3aa11 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -1618,7 +1618,7 @@ int main(const int argc, char *const argv[])
__func__);
} else {
if (!get_tgt_time(ccache)) {
- syslog(LOG_DEBUG, "%s: valid TGT is not present in credential cache",
+ syslog(LOG_ERR, "%s: valid TGT is not present in credential cache",
__func__);
krb5_cc_close(context, ccache);
ccache = NULL;
@@ -1721,7 +1721,7 @@ retry_new_hostname:
}
if (rc) {
- syslog(LOG_DEBUG, "Unable to obtain service ticket");
+ syslog(LOG_ERR, "Unable to obtain service ticket");
goto out;
}
--
2.52.0

View File

@ -0,0 +1,68 @@
From 3047b9ccefdcf6327bf060ebf0d40864c5b1a11e Mon Sep 17 00:00:00 2001
From: Pierguido Lambri <plambri@redhat.com>
Date: Fri, 30 Jan 2026 14:11:26 +0000
Subject: [PATCH 1/3] cifs.upcall: add option to enable debug logs
cifs.upcall uses two levels of logs, DEBUG and ERR.
However, when using systemd, these logs will always be recorded.
When the system does a lot of upcalls, the journal could be filled
with debug logs, which may not be useful at that time.
Added then a new option '-d' to enable debug logs only when needed.
This will set a logmask up to LOG_DEBUG instead of the default
of LOG_ERR, thus reducing the amount of logs when no debug is needed.
Signed-off-by: Pierguido Lambri <plambri@redhat.com>
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
---
cifs.upcall.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/cifs.upcall.c b/cifs.upcall.c
index 69e27a34f637..b57a48c743e4 100644
--- a/cifs.upcall.c
+++ b/cifs.upcall.c
@@ -1356,10 +1356,11 @@ lowercase_string(char *c)
static void usage(void)
{
- fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-E] [-t] [-v] [-l] [-e nsecs] key_serial\n", prog);
+ fprintf(stderr, "Usage: %s [ -K /path/to/keytab] [-k /path/to/krb5.conf] [-d] [-E] [-t] [-v] [-l] [-e nsecs] key_serial\n", prog);
}
static const struct option long_options[] = {
+ {"debug", 0, NULL, 'd'},
{"no-env-probe", 0, NULL, 'E'},
{"krb5conf", 1, NULL, 'k'},
{"legacy-uid", 0, NULL, 'l'},
@@ -1379,6 +1380,7 @@ int main(const int argc, char *const argv[])
size_t datalen;
long rc = 1;
int c;
+ int mask;
bool try_dns = false, legacy_uid = false , env_probe = true;
char *buf;
char hostbuf[NI_MAXHOST], *host;
@@ -1395,12 +1397,19 @@ int main(const int argc, char *const argv[])
hostbuf[0] = '\0';
openlog(prog, 0, LOG_DAEMON);
+ mask = LOG_UPTO(LOG_ERR);
+ setlogmask(mask);
- while ((c = getopt_long(argc, argv, "cEk:K:ltve:", long_options, NULL)) != -1) {
+ while ((c = getopt_long(argc, argv, "cdEk:K:ltve:", long_options, NULL)) != -1) {
switch (c) {
case 'c':
/* legacy option -- skip it */
break;
+ case 'd':
+ /* enable debug logs */
+ mask = LOG_UPTO(LOG_DEBUG);
+ setlogmask(mask);
+ break;
case 'E':
/* skip probing initiating process env */
env_probe = false;
--
2.52.0

View File

@ -0,0 +1,41 @@
From 224512b9e62c886fd8d9802bc50a7702c4fe4517 Mon Sep 17 00:00:00 2001
From: Pierguido Lambri <plambri@redhat.com>
Date: Fri, 30 Jan 2026 14:11:27 +0000
Subject: [PATCH 2/3] docs: Enable debug logs
Documented a new option '-d' to enable debug logs.
By default only error logs are enabled, with this new option
debug logs can be enabled when needed.
Signed-off-by: Pierguido Lambri <plambri@redhat.com>
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.org>
---
cifs.upcall.rst.in | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/cifs.upcall.rst.in b/cifs.upcall.rst.in
index 09d0503591d6..895efc53ef50 100644
--- a/cifs.upcall.rst.in
+++ b/cifs.upcall.rst.in
@@ -11,7 +11,7 @@ Userspace upcall helper for Common Internet File System (CIFS)
SYNOPSIS
********
- cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l]
+ cifs.upcall [--trust-dns|-t] [--version|-v] [--legacy-uid|-l] [--debug|-d]
[--krb5conf=/path/to/krb5.conf|-k /path/to/krb5.conf]
[--keytab=/path/to/keytab|-K /path/to/keytab] [--expire|-e nsecs] {keyid}
@@ -38,6 +38,9 @@ OPTIONS
-c
This option is deprecated and is currently ignored.
+--debug|-d
+ Enable debug logs. By default no debug messages are logged, only errors.
+
--no-env-probe|-E
Normally, ``cifs.upcall`` will probe the environment variable space of
the process that initiated the upcall in order to fetch the value of
--
2.52.0

1
sources Normal file
View File

@ -0,0 +1 @@
SHA512 (cifs-utils-7.5.tar.bz2) = d44b26ca3224160bcb4fc712eb6c6d09fcfee196197d46481e95333494eaae1a4851712fba9b922c203e3cd301c481b433ff49ec396428c12ff7db3c628ce9e9