Date: Thursday, December 17, 2020 @ 09:37:56 Author: tpowa Revision: 404432
archrelease: copy trunk to extra-x86_64 Added: cifs-utils/repos/extra-x86_64/PKGBUILD (from rev 404431, cifs-utils/trunk/PKGBUILD) cifs-utils/repos/extra-x86_64/cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch (from rev 404431, cifs-utils/trunk/cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch) cifs-utils/repos/extra-x86_64/cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1_part-2.patch (from rev 404431, cifs-utils/trunk/cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1_part-2.patch) Deleted: cifs-utils/repos/extra-x86_64/PKGBUILD cifs-utils/repos/extra-x86_64/cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch ------------------------------------------------------------------+ PKGBUILD | 95 ++-- cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch | 202 +++++----- cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1_part-2.patch | 58 ++ 3 files changed, 208 insertions(+), 147 deletions(-) Deleted: PKGBUILD =================================================================== --- PKGBUILD 2020-12-17 09:37:48 UTC (rev 404431) +++ PKGBUILD 2020-12-17 09:37:56 UTC (rev 404432) @@ -1,46 +0,0 @@ -# Maintainer: Tobias Powalowski <tp...@archlinux.org> -pkgname=cifs-utils -pkgver=6.11 -pkgrel=2 -pkgdesc="CIFS filesystem user-space tools" -arch=(x86_64) -url="https://wiki.samba.org/index.php/LinuxCIFS_utils" -license=('GPL') -depends=('libcap-ng' 'keyutils' 'krb5' 'talloc' 'libwbclient' 'pam') -makedepends=('python-docutils') -source=("https://download.samba.org/pub/linux-cifs/$pkgname/$pkgname-$pkgver.tar.bz2"{,.asc} - "cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch") - -validpgpkeys=('C699981A31F338706C817650DF5BA9D30642D5A0') #cifs-utils Distribution Verification Key <cifs-ut...@samba.org> -sha256sums=('b859239a3f204f8220d3e54ed43bf8109e1ef202042dd87ba87492f8878728d9' - 'SKIP' - '0edcd01eb3e721a5726cc00160667dc2f7c935883bad71711288488081f81e5b') - -prepare() { - # Fix install to honor DESTDIR - sed -e 's|\$(man8dir)|$(DESTDIR)$(man8dir)|g' -e 's|cd \$(ROOTSBINDIR)|cd $(DESTDIR)$(ROOTSBINDIR)|g' -i $pkgname-$pkgver/Makefile.am - cd "$srcdir/$pkgname-$pkgver" - patch -Np1 -i $srcdir/cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch -} - -build() { - cd "$srcdir/$pkgname-$pkgver" - # systemd support is broken in mount.cifs - # https://bugs.archlinux.org/task/30958 - autoreconf -i - ./configure --prefix=/usr --sbindir=/usr/bin --disable-systemd - make -} - -package() { - cd "$srcdir/$pkgname-$pkgver" - make DESTDIR="$pkgdir" ROOTSBINDIR=/usr/bin install - mkdir -p "$pkgdir"/etc/request-key.d - install -m 644 contrib/request-key.d/cifs.idmap.conf "$pkgdir"/etc/request-key.d - install -m 644 contrib/request-key.d/cifs.spnego.conf "$pkgdir"/etc/request-key.d - # set mount.cifs uid, to enable none root mounting form fstab - chmod +s "$pkgdir"/usr/bin/mount.cifs - # fix idmap-plugin #42052 - mkdir -p "$pkgdir"/etc/cifs-utils - ln -s /usr/lib/cifs-utils/idmapwb.so "${pkgdir}"/etc/cifs-utils/idmap-plugin -} Copied: cifs-utils/repos/extra-x86_64/PKGBUILD (from rev 404431, cifs-utils/trunk/PKGBUILD) =================================================================== --- PKGBUILD (rev 0) +++ PKGBUILD 2020-12-17 09:37:56 UTC (rev 404432) @@ -0,0 +1,49 @@ +# Maintainer: Tobias Powalowski <tp...@archlinux.org> +pkgname=cifs-utils +pkgver=6.11 +pkgrel=3 +pkgdesc="CIFS filesystem user-space tools" +arch=(x86_64) +url="https://wiki.samba.org/index.php/LinuxCIFS_utils" +license=('GPL') +depends=('libcap-ng' 'keyutils' 'krb5' 'talloc' 'libwbclient' 'pam') +makedepends=('python-docutils') +source=("https://download.samba.org/pub/linux-cifs/$pkgname/$pkgname-$pkgver.tar.bz2"{,.asc} + "cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch" + "cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1_part-2.patch") + +validpgpkeys=('C699981A31F338706C817650DF5BA9D30642D5A0') #cifs-utils Distribution Verification Key <cifs-ut...@samba.org> +sha256sums=('b859239a3f204f8220d3e54ed43bf8109e1ef202042dd87ba87492f8878728d9' + 'SKIP' + '0edcd01eb3e721a5726cc00160667dc2f7c935883bad71711288488081f81e5b' + 'acdf75f2d3895d60414f19b2401f3349af23252717bf669529848f9d35d70604') + +prepare() { + # Fix install to honor DESTDIR + sed -e 's|\$(man8dir)|$(DESTDIR)$(man8dir)|g' -e 's|cd \$(ROOTSBINDIR)|cd $(DESTDIR)$(ROOTSBINDIR)|g' -i $pkgname-$pkgver/Makefile.am + cd "$srcdir/$pkgname-$pkgver" + patch -Np1 -i "$srcdir/cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch" + patch -Np1 -i "$srcdir/cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1_part-2.patch" +} + +build() { + cd "$srcdir/$pkgname-$pkgver" + # systemd support is broken in mount.cifs + # https://bugs.archlinux.org/task/30958 + autoreconf -i + ./configure --prefix=/usr --sbindir=/usr/bin --disable-systemd + make +} + +package() { + cd "$srcdir/$pkgname-$pkgver" + make DESTDIR="$pkgdir" ROOTSBINDIR=/usr/bin install + mkdir -p "$pkgdir"/etc/request-key.d + install -m 644 contrib/request-key.d/cifs.idmap.conf "$pkgdir"/etc/request-key.d + install -m 644 contrib/request-key.d/cifs.spnego.conf "$pkgdir"/etc/request-key.d + # set mount.cifs uid, to enable none root mounting form fstab + chmod +s "$pkgdir"/usr/bin/mount.cifs + # fix idmap-plugin #42052 + mkdir -p "$pkgdir"/etc/cifs-utils + ln -s /usr/lib/cifs-utils/idmapwb.so "${pkgdir}"/etc/cifs-utils/idmap-plugin +} Deleted: cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch =================================================================== --- cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch 2020-12-17 09:37:48 UTC (rev 404431) +++ cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch 2020-12-17 09:37:56 UTC (rev 404432) @@ -1,101 +0,0 @@ -From f4e7c84467152624a288351321c8664dbf3364af Mon Sep 17 00:00:00 2001 -From: Jonas Witschel <diabo...@archlinux.org> -Date: Sat, 21 Nov 2020 11:41:26 +0100 -Subject: [PATCH 1/2] mount.cifs: update the cap bounding set only when - CAP_SETPCAP is given - -libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error -of -4 when trying to update the capability bounding set without having the -CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng -silently skipped updating the bounding set and only updated the normal -CAPNG_SELECT_CAPS capabilities instead. - -Check beforehand whether we have CAP_SETPCAP, in which case we can use -CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set. -Otherwise, we can at least update the normal capabilities, but refrain from -trying to update the bounding set to avoid getting an error. - -Signed-off-by: Jonas Witschel <diabo...@archlinux.org> ---- - mount.cifs.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/mount.cifs.c b/mount.cifs.c -index 4feb397..88b8b69 100644 ---- a/mount.cifs.c -+++ b/mount.cifs.c -@@ -338,6 +338,8 @@ static int set_password(struct parsed_mount_info *parsed_info, const char *src) - static int - drop_capabilities(int parent) - { -+ capng_select_t set = CAPNG_SELECT_CAPS; -+ - capng_setpid(getpid()); - capng_clear(CAPNG_SELECT_BOTH); - if (parent) { -@@ -355,7 +357,10 @@ drop_capabilities(int parent) - return EX_SYSERR; - } - } -- if (capng_apply(CAPNG_SELECT_BOTH)) { -+ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { -+ set = CAPNG_SELECT_BOTH; -+ } -+ if (capng_apply(set)) { - fprintf(stderr, "Unable to apply new capability set.\n"); - return EX_SYSERR; - } --- -2.29.2 - - -From 64dfbafe7a0639a96d67f0b840b6e6498e1f68a9 Mon Sep 17 00:00:00 2001 -From: Jonas Witschel <diabo...@archlinux.org> -Date: Sat, 21 Nov 2020 11:48:33 +0100 -Subject: [PATCH 2/2] cifs.upall: update the cap bounding set only when - CAP_SETPCAP is given - -libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error -of -4 when trying to update the capability bounding set without having the -CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng -silently skipped updating the bounding set and only updated the normal -CAPNG_SELECT_CAPS capabilities instead. - -Check beforehand whether we have CAP_SETPCAP, in which case we can use -CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set. -Otherwise, we can at least update the normal capabilities, but refrain from -trying to update the bounding set to avoid getting an error. - -Signed-off-by: Jonas Witschel <diabo...@archlinux.org> ---- - cifs.upcall.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/cifs.upcall.c b/cifs.upcall.c -index 1559434..af1a0b0 100644 ---- a/cifs.upcall.c -+++ b/cifs.upcall.c -@@ -88,6 +88,8 @@ typedef enum _sectype { - static int - trim_capabilities(bool need_environ) - { -+ capng_select_t set = CAPNG_SELECT_CAPS; -+ - capng_clear(CAPNG_SELECT_BOTH); - - /* SETUID and SETGID to change uid, gid, and grouplist */ -@@ -105,7 +107,10 @@ trim_capabilities(bool need_environ) - return 1; - } - -- if (capng_apply(CAPNG_SELECT_BOTH)) { -+ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { -+ set = CAPNG_SELECT_BOTH; -+ } -+ if (capng_apply(set)) { - syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__); - return 1; - } --- -2.29.2 - Copied: cifs-utils/repos/extra-x86_64/cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch (from rev 404431, cifs-utils/trunk/cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch) =================================================================== --- cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch (rev 0) +++ cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1.patch 2020-12-17 09:37:56 UTC (rev 404432) @@ -0,0 +1,101 @@ +From f4e7c84467152624a288351321c8664dbf3364af Mon Sep 17 00:00:00 2001 +From: Jonas Witschel <diabo...@archlinux.org> +Date: Sat, 21 Nov 2020 11:41:26 +0100 +Subject: [PATCH 1/2] mount.cifs: update the cap bounding set only when + CAP_SETPCAP is given + +libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error +of -4 when trying to update the capability bounding set without having the +CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng +silently skipped updating the bounding set and only updated the normal +CAPNG_SELECT_CAPS capabilities instead. + +Check beforehand whether we have CAP_SETPCAP, in which case we can use +CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set. +Otherwise, we can at least update the normal capabilities, but refrain from +trying to update the bounding set to avoid getting an error. + +Signed-off-by: Jonas Witschel <diabo...@archlinux.org> +--- + mount.cifs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/mount.cifs.c b/mount.cifs.c +index 4feb397..88b8b69 100644 +--- a/mount.cifs.c ++++ b/mount.cifs.c +@@ -338,6 +338,8 @@ static int set_password(struct parsed_mount_info *parsed_info, const char *src) + static int + drop_capabilities(int parent) + { ++ capng_select_t set = CAPNG_SELECT_CAPS; ++ + capng_setpid(getpid()); + capng_clear(CAPNG_SELECT_BOTH); + if (parent) { +@@ -355,7 +357,10 @@ drop_capabilities(int parent) + return EX_SYSERR; + } + } +- if (capng_apply(CAPNG_SELECT_BOTH)) { ++ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { ++ set = CAPNG_SELECT_BOTH; ++ } ++ if (capng_apply(set)) { + fprintf(stderr, "Unable to apply new capability set.\n"); + return EX_SYSERR; + } +-- +2.29.2 + + +From 64dfbafe7a0639a96d67f0b840b6e6498e1f68a9 Mon Sep 17 00:00:00 2001 +From: Jonas Witschel <diabo...@archlinux.org> +Date: Sat, 21 Nov 2020 11:48:33 +0100 +Subject: [PATCH 2/2] cifs.upall: update the cap bounding set only when + CAP_SETPCAP is given + +libcap-ng 0.8.1 tightened the error checking on capng_apply, returning an error +of -4 when trying to update the capability bounding set without having the +CAP_SETPCAP capability to be able to do so. Previous versions of libcap-ng +silently skipped updating the bounding set and only updated the normal +CAPNG_SELECT_CAPS capabilities instead. + +Check beforehand whether we have CAP_SETPCAP, in which case we can use +CAPNG_SELECT_BOTH to update both the normal capabilities and the bounding set. +Otherwise, we can at least update the normal capabilities, but refrain from +trying to update the bounding set to avoid getting an error. + +Signed-off-by: Jonas Witschel <diabo...@archlinux.org> +--- + cifs.upcall.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/cifs.upcall.c b/cifs.upcall.c +index 1559434..af1a0b0 100644 +--- a/cifs.upcall.c ++++ b/cifs.upcall.c +@@ -88,6 +88,8 @@ typedef enum _sectype { + static int + trim_capabilities(bool need_environ) + { ++ capng_select_t set = CAPNG_SELECT_CAPS; ++ + capng_clear(CAPNG_SELECT_BOTH); + + /* SETUID and SETGID to change uid, gid, and grouplist */ +@@ -105,7 +107,10 @@ trim_capabilities(bool need_environ) + return 1; + } + +- if (capng_apply(CAPNG_SELECT_BOTH)) { ++ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { ++ set = CAPNG_SELECT_BOTH; ++ } ++ if (capng_apply(set)) { + syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__); + return 1; + } +-- +2.29.2 + Copied: cifs-utils/repos/extra-x86_64/cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1_part-2.patch (from rev 404431, cifs-utils/trunk/cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1_part-2.patch) =================================================================== --- cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1_part-2.patch (rev 0) +++ cifs-utils-6.11_fix_capng_apply_for_libcap-ng-0.8.1_part-2.patch 2020-12-17 09:37:56 UTC (rev 404432) @@ -0,0 +1,58 @@ +From 0fddcee4b1b9c9f16b3cfe1b2daec87d2b8b19dd Mon Sep 17 00:00:00 2001 +From: Alexander Koch <m...@alexanderkoch.net> +Date: Wed, 16 Dec 2020 18:02:31 +0100 +Subject: [PATCH] cifs.upcall: drop bounding capabilities only if CAP_SETPCAP + is given + +Make drop_call_capabilities() in cifs.upcall update the bounding capabilities +only if CAP_SETCAP is present. + +This is an addendum to the patch recently provided in [1]. Without this +additional change, cifs.upcall can still fail while trying to mount a CIFS +network share with krb5: + + kernel: CIFS: Attempting to mount //server.domain.lan/myshare + cifs.upcall[39484]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=server.domain.lan> + cifs.upcall[39484]: ver=2 + cifs.upcall[39484]: host=server.domain.lan + cifs.upcall[39484]: ip=172.22.3.14 + cifs.upcall[39484]: sec=1 + cifs.upcall[39484]: uid=1000 + cifs.upcall[39484]: creduid=1000 + cifs.upcall[39484]: user=username + cifs.upcall[39484]: pid=39481 + cifs.upcall[39484]: get_cachename_from_process_env: pathname=/proc/39481/environ + cifs.upcall[39484]: get_cachename_from_process_env: cachename = FILE:/tmp/.krb5cc_1000 + cifs.upcall[39484]: drop_all_capabilities: Unable to apply capability set: Success + cifs.upcall[39484]: Exit status 1 + +[1] https://marc.info/?l=linux-cifs&m=160595758021261 + +Signed-off-by: Alexander Koch <m...@alexanderkoch.net> +Signed-off-by: Jonas Witschel <diabo...@archlinux.org> +--- + cifs.upcall.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/cifs.upcall.c b/cifs.upcall.c +index 1559434..b62ab50 100644 +--- a/cifs.upcall.c ++++ b/cifs.upcall.c +@@ -115,8 +115,13 @@ trim_capabilities(bool need_environ) + static int + drop_all_capabilities(void) + { ++ capng_select_t set = CAPNG_SELECT_CAPS; ++ + capng_clear(CAPNG_SELECT_BOTH); +- if (capng_apply(CAPNG_SELECT_BOTH)) { ++ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) { ++ set = CAPNG_SELECT_BOTH; ++ } ++ if (capng_apply(set)) { + syslog(LOG_ERR, "%s: Unable to apply capability set: %m\n", __func__); + return 1; + } +-- +2.29.2 +