[cifs-utils] Update to latest upstream patches
Sachin Prabhu
sprabhu at fedoraproject.org
Tue May 6 12:23:49 UTC 2014
commit 8650af544c0e0f8c76b688ad85254e4d489ae5a9
Author: Sachin Prabhu <sprabhu at redhat.com>
Date: Tue May 6 12:46:12 2014 +0100
Update to latest upstream patches
- autoconf: allow PAM security install directory to be configurable
- cifs: use krb5_kt_default() to determine default keytab location
- cifskey: better use snprintf()
- cifscreds: better error handling when key_search fails
- cifscreds: better error handling for key_add
Signed-off-by: Sachin Prabhu <sprabhu at redhat.com>
...low-PAM-security-install-directory-to-be-.patch | 47 +++++++++
...b5_kt_default-to-determine-default-keytab.patch | 56 +++++++++++
0003-cifskey-better-use-snprintf.patch | 49 ++++++++++
...etter-error-handling-when-key_search-fail.patch | 85 ++++++++++++++++
...fscreds-better-error-handling-for-key_add.patch | 102 ++++++++++++++++++++
cifs-utils.spec | 19 ++++-
6 files changed, 357 insertions(+), 1 deletions(-)
---
diff --git a/0001-autoconf-allow-PAM-security-install-directory-to-be-.patch b/0001-autoconf-allow-PAM-security-install-directory-to-be-.patch
new file mode 100644
index 0000000..0c09626
--- /dev/null
+++ b/0001-autoconf-allow-PAM-security-install-directory-to-be-.patch
@@ -0,0 +1,47 @@
+From 00a1cee869fce5b6aa79683da19a2529c2cfd690 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Lars=20M=C3=BCller?= <lars at samba.org>
+Date: Mon, 7 Apr 2014 14:35:10 -0400
+Subject: [PATCH] autoconf: allow PAM security install directory to be
+ configurable
+
+Allow the pam module install directory to be set at build time.
+
+Signed-off-by: Jeff Layton <jlayton at samba.org>
+---
+ Makefile.am | 2 --
+ configure.ac | 6 ++++++
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index a3fb413..92da8b1 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -92,8 +92,6 @@ idmapwb.8: idmapwb.8.in
+ endif
+
+ if CONFIG_PAM
+-pamdir = $(libdir)/security
+-
+ pam_PROGRAMS = pam_cifscreds.so
+
+ pam_cifscreds.so: pam_cifscreds.c cifskey.c resolve_host.c util.c
+diff --git a/configure.ac b/configure.ac
+index 6cd8558..43aa55c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -58,6 +58,12 @@ AC_ARG_WITH(idmap-plugin,
+ AC_DEFINE_UNQUOTED(IDMAP_PLUGIN_PATH, "$pluginpath", [Location of plugin that ID mapping infrastructure should use. (usually a symlink to real plugin)])
+ AC_SUBST([pluginpath])
+
++AC_ARG_WITH(pamdir,
++ [AC_HELP_STRING([--with-pamdir=DIR],[Where to install the PAM module @<:@default=$(libdir)/security@:>@])],
++ pamdir=$withval,
++ pamdir="\$(libdir)/security")
++AC_SUBST([pamdir])
++
+ # check for ROOTSBINDIR environment var
+ if test -z $ROOTSBINDIR; then
+ ROOTSBINDIR="/sbin"
+--
+1.8.4.2
+
diff --git a/0002-cifs-use-krb5_kt_default-to-determine-default-keytab.patch b/0002-cifs-use-krb5_kt_default-to-determine-default-keytab.patch
new file mode 100644
index 0000000..6f683d5
--- /dev/null
+++ b/0002-cifs-use-krb5_kt_default-to-determine-default-keytab.patch
@@ -0,0 +1,56 @@
+From a016e18969d10e3c777f35fe21b1c1f8c1d70880 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton at samba.org>
+Date: Mon, 7 Apr 2014 14:35:17 -0400
+Subject: [PATCH] cifs: use krb5_kt_default() to determine default keytab
+ location
+
+...don't assume that it's in /etc/krb5.keytab.
+
+Reported-by: Konstantin Lepikhov <klepikho at redhat.com>
+Signed-off-by: Jeff Layton <jlayton at samba.org>
+---
+ cifs.upcall.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/cifs.upcall.c b/cifs.upcall.c
+index cc65824..e8544c2 100644
+--- a/cifs.upcall.c
++++ b/cifs.upcall.c
+@@ -55,7 +55,6 @@
+ #define CIFS_DEFAULT_KRB5_DIR "/tmp"
+ #define CIFS_DEFAULT_KRB5_USER_DIR "/run/user/%U"
+ #define CIFS_DEFAULT_KRB5_PREFIX "krb5cc"
+-#define CIFS_DEFAULT_KRB5_KEYTAB "/etc/krb5.keytab"
+
+ #define MAX_CCNAME_LEN PATH_MAX + 5
+
+@@ -205,9 +204,15 @@ init_cc_from_keytab(const char *keytab_name, const char *user)
+ goto icfk_cleanup;
+ }
+
+- ret = krb5_kt_resolve(context, keytab_name, &keytab);
++ if (keytab_name)
++ ret = krb5_kt_resolve(context, keytab_name, &keytab);
++ else
++ ret = krb5_kt_default(context, &keytab);
++
+ if (ret) {
+- syslog(LOG_DEBUG, "krb5_kt_resolve: %d", (int)ret);
++ syslog(LOG_DEBUG, "%s: %d",
++ keytab_name ? "krb5_kt_resolve" : "krb5_kt_default",
++ (int)ret);
+ goto icfk_cleanup;
+ }
+
+@@ -841,7 +846,7 @@ int main(const int argc, char *const argv[])
+ struct decoded_args arg;
+ const char *oid;
+ uid_t uid;
+- char *keytab_name = CIFS_DEFAULT_KRB5_KEYTAB;
++ char *keytab_name = NULL;
+ time_t best_time = 0;
+
+ hostbuf[0] = '\0';
+--
+1.8.4.2
+
diff --git a/0003-cifskey-better-use-snprintf.patch b/0003-cifskey-better-use-snprintf.patch
new file mode 100644
index 0000000..bea3603
--- /dev/null
+++ b/0003-cifskey-better-use-snprintf.patch
@@ -0,0 +1,49 @@
+From 0c521d5060035da655107001374e08873ac5dde8 Mon Sep 17 00:00:00 2001
+From: Sebastian Krahmer <krahmer at suse.de>
+Date: Mon, 14 Apr 2014 11:39:41 +0200
+Subject: [PATCH] cifskey: better use snprintf()
+
+Prefer snprintf() over sprintf() in cifskey.c
+Projects that fork the code (pam_cifscreds) can't rely on
+the max-size parameters.
+
+[jlayton: removed unneeded initialization of "len" in key_add]
+
+Signed-off-by: Sebastian Krahmer <krahmer at suse.de>
+---
+ cifskey.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/cifskey.c b/cifskey.c
+index 7716c42..e89cacf 100644
+--- a/cifskey.c
++++ b/cifskey.c
+@@ -29,7 +29,8 @@ key_search(const char *addr, char keytype)
+ {
+ char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4];
+
+- sprintf(desc, "%s:%c:%s", KEY_PREFIX, keytype, addr);
++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc))
++ return -1;
+
+ return keyctl_search(DEST_KEYRING, CIFS_KEY_TYPE, desc, 0);
+ }
+@@ -43,10 +44,13 @@ key_add(const char *addr, const char *user, const char *pass, char keytype)
+ char val[MOUNT_PASSWD_SIZE + MAX_USERNAME_SIZE + 2];
+
+ /* set key description */
+- sprintf(desc, "%s:%c:%s", KEY_PREFIX, keytype, addr);
++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc))
++ return -1;
+
+ /* set payload contents */
+- len = sprintf(val, "%s:%s", user, pass);
++ len = snprintf(val, sizeof(val), "%s:%s", user, pass);
++ if (len >= (int)sizeof(val))
++ return -1;
+
+ return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING);
+ }
+--
+1.8.4.2
+
diff --git a/0004-cifscreds-better-error-handling-when-key_search-fail.patch b/0004-cifscreds-better-error-handling-when-key_search-fail.patch
new file mode 100644
index 0000000..cf57eea
--- /dev/null
+++ b/0004-cifscreds-better-error-handling-when-key_search-fail.patch
@@ -0,0 +1,85 @@
+From 3da4c43b575498be86c87a2ac3f3142e3cab1c59 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton at samba.org>
+Date: Sun, 20 Apr 2014 20:41:05 -0400
+Subject: [PATCH] cifscreds: better error handling when key_search fails
+
+If we ended up getting a bogus string that would have overflowed, then
+make key_search set errno to EINVAL before returning. The callers can
+then test to see if the returned error is what was expected or something
+else and handle it appropriately.
+
+Cc: Sebastian Krahmer <krahmer at suse.de>
+Signed-off-by: Jeff Layton <jlayton at samba.org>
+---
+ cifscreds.c | 9 +++++++++
+ cifskey.c | 5 ++++-
+ pam_cifscreds.c | 9 +++++++++
+ 3 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/cifscreds.c b/cifscreds.c
+index fa05dc8..64d55b0 100644
+--- a/cifscreds.c
++++ b/cifscreds.c
+@@ -188,6 +188,15 @@ static int cifscreds_add(struct cmdarg *arg)
+ return EXIT_FAILURE;
+ }
+
++ switch(errno) {
++ case ENOKEY:
++ /* success */
++ break;
++ default:
++ printf("Key search failed: %s\n", strerror(errno));
++ return EXIT_FAILURE;
++ }
++
+ currentaddress = nextaddress;
+ if (currentaddress) {
+ *(currentaddress - 1) = ',';
+diff --git a/cifskey.c b/cifskey.c
+index e89cacf..4f01ed0 100644
+--- a/cifskey.c
++++ b/cifskey.c
+@@ -20,6 +20,7 @@
+ #include <sys/types.h>
+ #include <keyutils.h>
+ #include <stdio.h>
++#include <errno.h>
+ #include "cifskey.h"
+ #include "resolve_host.h"
+
+@@ -29,8 +30,10 @@ key_search(const char *addr, char keytype)
+ {
+ char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4];
+
+- if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc))
++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) {
++ errno = EINVAL;
+ return -1;
++ }
+
+ return keyctl_search(DEST_KEYRING, CIFS_KEY_TYPE, desc, 0);
+ }
+diff --git a/pam_cifscreds.c b/pam_cifscreds.c
+index e0d8a55..fb23117 100644
+--- a/pam_cifscreds.c
++++ b/pam_cifscreds.c
+@@ -206,6 +206,15 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas
+ return PAM_SERVICE_ERR;
+ }
+
++ switch(errno) {
++ case ENOKEY:
++ break;
++ default:
++ pam_syslog(ph, LOG_ERR, "Unable to search keyring for %s (%s)",
++ currentaddress, strerror(errno));
++ return PAM_SERVICE_ERR;
++ }
++
+ currentaddress = nextaddress;
+ if (currentaddress) {
+ *(currentaddress - 1) = ',';
+--
+1.8.4.2
+
diff --git a/0005-cifscreds-better-error-handling-for-key_add.patch b/0005-cifscreds-better-error-handling-for-key_add.patch
new file mode 100644
index 0000000..3baedd6
--- /dev/null
+++ b/0005-cifscreds-better-error-handling-for-key_add.patch
@@ -0,0 +1,102 @@
+From 382ec63757c1d8d4d399d17ccc927c4897d4cfc9 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton at samba.org>
+Date: Sun, 20 Apr 2014 20:41:05 -0400
+Subject: [PATCH] cifscreds: better error handling for key_add
+
+If the string buffers would have been overrun, set errno to EINVAL
+before returning. Then, have the callers report the errors to
+stderr or syslog as appropriate.
+
+Cc: Sebastian Krahmer <krahmer at suse.de>
+Signed-off-by: Jeff Layton <jlayton at samba.org>
+---
+ cifscreds.c | 6 +++---
+ cifskey.c | 8 ++++++--
+ pam_cifscreds.c | 9 +++++----
+ 3 files changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/cifscreds.c b/cifscreds.c
+index 64d55b0..5d84c3c 100644
+--- a/cifscreds.c
++++ b/cifscreds.c
+@@ -220,8 +220,8 @@ static int cifscreds_add(struct cmdarg *arg)
+ while (currentaddress) {
+ key_serial_t key = key_add(currentaddress, arg->user, pass, arg->keytype);
+ if (key <= 0) {
+- fprintf(stderr, "error: Add credential key for %s\n",
+- currentaddress);
++ fprintf(stderr, "error: Add credential key for %s: %s\n",
++ currentaddress, strerror(errno));
+ } else {
+ if (keyctl(KEYCTL_SETPERM, key, CIFS_KEY_PERMS) < 0) {
+ fprintf(stderr, "error: Setting permissons "
+@@ -422,7 +422,7 @@ static int cifscreds_update(struct cmdarg *arg)
+ key_serial_t key = key_add(addrs[id], arg->user, pass, arg->keytype);
+ if (key <= 0)
+ fprintf(stderr, "error: Update credential key "
+- "for %s\n", addrs[id]);
++ "for %s: %s\n", addrs[id], strerror(errno));
+ }
+
+ return EXIT_SUCCESS;
+diff --git a/cifskey.c b/cifskey.c
+index 4f01ed0..919540f 100644
+--- a/cifskey.c
++++ b/cifskey.c
+@@ -47,13 +47,17 @@ key_add(const char *addr, const char *user, const char *pass, char keytype)
+ char val[MOUNT_PASSWD_SIZE + MAX_USERNAME_SIZE + 2];
+
+ /* set key description */
+- if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc))
++ if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) {
++ errno = EINVAL;
+ return -1;
++ }
+
+ /* set payload contents */
+ len = snprintf(val, sizeof(val), "%s:%s", user, pass);
+- if (len >= (int)sizeof(val))
++ if (len >= (int)sizeof(val)) {
++ errno = EINVAL;
+ return -1;
++ }
+
+ return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING);
+ }
+diff --git a/pam_cifscreds.c b/pam_cifscreds.c
+index fb23117..5d99c2d 100644
+--- a/pam_cifscreds.c
++++ b/pam_cifscreds.c
+@@ -208,6 +208,7 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas
+
+ switch(errno) {
+ case ENOKEY:
++ /* success */
+ break;
+ default:
+ pam_syslog(ph, LOG_ERR, "Unable to search keyring for %s (%s)",
+@@ -233,8 +234,8 @@ static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas
+ while (currentaddress) {
+ key_serial_t key = key_add(currentaddress, user, password, keytype);
+ if (key <= 0) {
+- pam_syslog(ph, LOG_ERR, "error: Add credential key for %s",
+- currentaddress);
++ pam_syslog(ph, LOG_ERR, "error: Add credential key for %s: %s",
++ currentaddress, strerror(errno));
+ } else {
+ if ((args & ARG_DEBUG) == ARG_DEBUG) {
+ pam_syslog(ph, LOG_DEBUG, "credential key for \\\\%s\\%s added",
+@@ -336,8 +337,8 @@ static int cifscreds_pam_update(pam_handle_t *ph, const char *user, const char *
+ for (id = 0; id < count; id++) {
+ key_serial_t key = key_add(currentaddress, user, password, keytype);
+ if (key <= 0) {
+- pam_syslog(ph, LOG_ERR, "error: Update credential key for %s",
+- currentaddress);
++ pam_syslog(ph, LOG_ERR, "error: Update credential key for %s: %s",
++ currentaddress, strerror(errno));
+ }
+ }
+
+--
+1.8.4.2
+
diff --git a/cifs-utils.spec b/cifs-utils.spec
index cdcbf92..d53b4ca 100644
--- a/cifs-utils.spec
+++ b/cifs-utils.spec
@@ -3,7 +3,7 @@
Name: cifs-utils
Version: 6.3
-Release: 1%{pre_release}%{?dist}
+Release: 2%{pre_release}%{?dist}
Summary: Utilities for mounting and managing CIFS mounts
Group: System Environment/Daemons
@@ -18,6 +18,11 @@ Requires(post): /usr/sbin/alternatives
Requires(preun): /usr/sbin/alternatives
Source0: ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}%{pre_release}.tar.bz2
+Patch0: 0001-autoconf-allow-PAM-security-install-directory-to-be-.patch
+Patch1: 0002-cifs-use-krb5_kt_default-to-determine-default-keytab.patch
+Patch2: 0003-cifskey-better-use-snprintf.patch
+Patch3: 0004-cifscreds-better-error-handling-when-key_search-fail.patch
+Patch4: 0005-cifscreds-better-error-handling-for-key_add.patch
%description
The SMB/CIFS protocol is a standard file sharing protocol widely deployed
@@ -52,6 +57,11 @@ provide these credentials to the kernel automatically at login.
%prep
%setup -q -n %{name}-%{version}%{pre_release}
+%patch0 -p1
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
%build
autoreconf -i
@@ -106,6 +116,13 @@ fi
%{_mandir}/man8/pam_cifscreds.8.gz
%changelog
+* Tue May 06 2014 Sachin Prabhu <sprabhu at redhat.com> 6.3-2
+- autoconf: allow PAM security install directory to be configurable
+- cifs: use krb5_kt_default() to determine default keytab location
+- cifskey: better use snprintf()
+- cifscreds: better error handling when key_search fails
+- cifscreds: better error handling for key_add
+
* Thu Jan 09 2014 Jeff Layton <jlayton at redhat.com> 6.3-1
- update to 6.3 release
More information about the scm-commits
mailing list