Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package cifs-utils for openSUSE:Factory checked in at 2021-05-18 18:26:45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/cifs-utils (Old) and /work/SRC/openSUSE:Factory/.cifs-utils.new.2988 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cifs-utils" Tue May 18 18:26:45 2021 rev:68 rq:893218 version:6.13 Changes: -------- --- /work/SRC/openSUSE:Factory/cifs-utils/cifs-utils.changes 2021-04-27 21:34:24.619958916 +0200 +++ /work/SRC/openSUSE:Factory/.cifs-utils.new.2988/cifs-utils.changes 2021-05-18 18:27:03.618801735 +0200 @@ -1,0 +2,12 @@ +Fri May 14 11:13:47 UTC 2021 - Ferdinand Thiessen <r...@fthiessen.de> + +- Update to cifs-utils 6.13 + * Fixes CVE-2021-20208, cifs.upcall kerberos auth leak in container + * remove cifs-utils-6.12.tar.bz2 + * remove cifs-utils-6.12.tar.bz2.asc + * add cifs-utils-6.13.tar.bz2 + * add cifs-utils-6.13.tar.bz2.asc +- Drop upstream fixed patches: + * 0001-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch + +------------------------------------------------------------------- Old: ---- 0001-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch cifs-utils-6.12.tar.bz2 cifs-utils-6.12.tar.bz2.asc New: ---- cifs-utils-6.13.tar.bz2 cifs-utils-6.13.tar.bz2.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ cifs-utils.spec ++++++ --- /var/tmp/diff_new_pack.n1lFqg/_old 2021-05-18 18:27:04.038799914 +0200 +++ /var/tmp/diff_new_pack.n1lFqg/_new 2021-05-18 18:27:04.038799914 +0200 @@ -21,7 +21,7 @@ %endif Name: cifs-utils -Version: 6.12 +Version: 6.13 Release: 0 Summary: Utilities for doing and managing mounts of the Linux CIFS filesystem License: GPL-3.0-or-later @@ -37,8 +37,7 @@ Source1: cifs.init Patch1: fix-sbin-install-error.patch -Patch2: 0001-cifs.upcall-try-to-use-container-ipc-uts-net-pid-mnt.patch -Patch3: 0001-cifs.upcall-fix-regression-in-kerberos-mount.patch +Patch2: 0001-cifs.upcall-fix-regression-in-kerberos-mount.patch # Both SSSD and cifs-utils provide an idmap plugin for cifs.ko # /etc/cifs-utils/idmap-plugin should be a symlink to one of the 2 idmap plugins @@ -136,7 +135,6 @@ %patch1 -p1 %patch2 -p1 -%patch3 -p1 %build export CFLAGS="%{optflags} -D_GNU_SOURCE -fpie" ++++++ cifs-utils-6.12.tar.bz2 -> cifs-utils-6.13.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cifs-utils-6.12/autom4te.cache/output.0 new/cifs-utils-6.13/autom4te.cache/output.0 --- old/cifs-utils-6.12/autom4te.cache/output.0 2020-12-31 19:48:31.000000000 +0100 +++ new/cifs-utils-6.13/autom4te.cache/output.0 2021-04-13 01:59:30.000000000 +0200 @@ -1,6 +1,6 @@ @%:@! /bin/sh @%:@ Guess values for system-dependent variables and create Makefiles. -@%:@ Generated by GNU Autoconf 2.69 for cifs-utils 6.12. +@%:@ Generated by GNU Autoconf 2.69 for cifs-utils 6.13. @%:@ @%:@ Report bugs to <linux-c...@vger.kernel.org>. @%:@ @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='cifs-utils' PACKAGE_TARNAME='cifs-utils' -PACKAGE_VERSION='6.12' -PACKAGE_STRING='cifs-utils 6.12' +PACKAGE_VERSION='6.13' +PACKAGE_STRING='cifs-utils 6.13' PACKAGE_BUGREPORT='linux-c...@vger.kernel.org' PACKAGE_URL='https://wiki.samba.org/index.php/LinuxCIFS_utils' @@ -1338,7 +1338,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures cifs-utils 6.12 to adapt to many kinds of systems. +\`configure' configures cifs-utils 6.13 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1409,7 +1409,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of cifs-utils 6.12:";; + short | recursive ) echo "Configuration of cifs-utils 6.13:";; esac cat <<\_ACEOF @@ -1537,7 +1537,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -cifs-utils configure 6.12 +cifs-utils configure 6.13 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2006,7 +2006,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by cifs-utils $as_me 6.12, which was +It was created by cifs-utils $as_me 6.13, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2876,7 +2876,7 @@ # Define the identity of the package. PACKAGE='cifs-utils' - VERSION='6.12' + VERSION='6.13' cat >>confdefs.h <<_ACEOF @@ -6837,7 +6837,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by cifs-utils $as_me 6.12, which was +This file was extended by cifs-utils $as_me 6.13, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -6904,7 +6904,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -cifs-utils config.status 6.12 +cifs-utils config.status 6.13 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cifs-utils-6.12/autom4te.cache/output.1 new/cifs-utils-6.13/autom4te.cache/output.1 --- old/cifs-utils-6.12/autom4te.cache/output.1 2020-12-31 19:48:33.000000000 +0100 +++ new/cifs-utils-6.13/autom4te.cache/output.1 2021-04-13 01:59:33.000000000 +0200 @@ -1,6 +1,6 @@ @%:@! /bin/sh @%:@ Guess values for system-dependent variables and create Makefiles. -@%:@ Generated by GNU Autoconf 2.69 for cifs-utils 6.12. +@%:@ Generated by GNU Autoconf 2.69 for cifs-utils 6.13. @%:@ @%:@ Report bugs to <linux-c...@vger.kernel.org>. @%:@ @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='cifs-utils' PACKAGE_TARNAME='cifs-utils' -PACKAGE_VERSION='6.12' -PACKAGE_STRING='cifs-utils 6.12' +PACKAGE_VERSION='6.13' +PACKAGE_STRING='cifs-utils 6.13' PACKAGE_BUGREPORT='linux-c...@vger.kernel.org' PACKAGE_URL='https://wiki.samba.org/index.php/LinuxCIFS_utils' @@ -1338,7 +1338,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures cifs-utils 6.12 to adapt to many kinds of systems. +\`configure' configures cifs-utils 6.13 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1409,7 +1409,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of cifs-utils 6.12:";; + short | recursive ) echo "Configuration of cifs-utils 6.13:";; esac cat <<\_ACEOF @@ -1537,7 +1537,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -cifs-utils configure 6.12 +cifs-utils configure 6.13 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2006,7 +2006,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by cifs-utils $as_me 6.12, which was +It was created by cifs-utils $as_me 6.13, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2876,7 +2876,7 @@ # Define the identity of the package. PACKAGE='cifs-utils' - VERSION='6.12' + VERSION='6.13' cat >>confdefs.h <<_ACEOF @@ -6837,7 +6837,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by cifs-utils $as_me 6.12, which was +This file was extended by cifs-utils $as_me 6.13, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -6904,7 +6904,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -cifs-utils config.status 6.12 +cifs-utils config.status 6.13 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cifs-utils-6.12/autom4te.cache/requests new/cifs-utils-6.13/autom4te.cache/requests --- old/cifs-utils-6.12/autom4te.cache/requests 2020-12-31 19:48:33.000000000 +0100 +++ new/cifs-utils-6.13/autom4te.cache/requests 2021-04-13 01:59:33.000000000 +0200 @@ -37,58 +37,58 @@ 'configure.ac' ], { - '_AM_PROG_TAR' => 1, - 'AM_SET_LEADING_DOT' => 1, - 'PKG_CHECK_EXISTS' => 1, - '_AM_AUTOCONF_VERSION' => 1, - 'AC_CONFIG_MACRO_DIR_TRACE' => 1, + 'AC_LIBCAP' => 1, '_PKG_SHORT_ERRORS_SUPPORTED' => 1, + 'm4_include' => 1, + '_AM_CONFIG_MACRO_DIRS' => 1, + '_AM_DEPENDENCIES' => 1, + 'AC_TEST_WBCHL' => 1, + 'AM_SANITY_CHECK' => 1, + 'AM_MISSING_HAS_RUN' => 1, + 'AM_SET_CURRENT_AUTOMAKE_VERSION' => 1, + 'AM_RUN_LOG' => 1, + 'PKG_CHECK_MODULES_STATIC' => 1, + 'AM_SILENT_RULES' => 1, + 'AC_CONFIG_MACRO_DIR' => 1, + 'AM_MISSING_PROG' => 1, + 'm4_pattern_allow' => 1, 'AM_SET_DEPDIR' => 1, - 'PKG_INSTALLDIR' => 1, '_AM_SET_OPTIONS' => 1, - 'AU_DEFUN' => 1, - '_AM_IF_OPTION' => 1, 'AM_INIT_AUTOMAKE' => 1, - 'AM_PROG_CC_C_O' => 1, + 'AM_PROG_INSTALL_SH' => 1, + 'AM_AUTOMAKE_VERSION' => 1, + 'AM_SUBST_NOTMAKE' => 1, + 'AU_DEFUN' => 1, 'PKG_NOARCH_INSTALLDIR' => 1, - 'PKG_CHECK_VAR' => 1, 'm4_pattern_forbid' => 1, - 'AM_PROG_INSTALL_STRIP' => 1, + 'AM_MAKE_INCLUDE' => 1, + '_AC_AM_CONFIG_HEADER_HOOK' => 1, + '_m4_warn' => 1, + 'AM_DEP_TRACK' => 1, + 'PKG_INSTALLDIR' => 1, + 'AM_PROG_CC_C_O' => 1, 'AC_DEFUN' => 1, + 'include' => 1, + '_AM_SUBST_NOTMAKE' => 1, + '_AM_AUTOCONF_VERSION' => 1, + 'AM_PROG_INSTALL_STRIP' => 1, + '_AM_PROG_TAR' => 1, + '_AM_SET_OPTION' => 1, 'PKG_PROG_PKG_CONFIG' => 1, - 'AM_MISSING_PROG' => 1, - 'PKG_CHECK_MODULES_STATIC' => 1, - 'AC_CONFIG_MACRO_DIR' => 1, + 'PKG_CHECK_VAR' => 1, '_AM_PROG_CC_C_O' => 1, - 'AM_MISSING_HAS_RUN' => 1, - '_AM_OUTPUT_DEPENDENCY_COMMANDS' => 1, - '_AM_SET_OPTION' => 1, 'AC_TEST_WBC_IDMAP_BOTH' => 1, - 'AC_TEST_WBCHL' => 1, - 'AM_PROG_INSTALL_SH' => 1, - '_AC_AM_CONFIG_HEADER_HOOK' => 1, - 'AM_SUBST_NOTMAKE' => 1, - 'AM_SILENT_RULES' => 1, - 'AM_SET_CURRENT_AUTOMAKE_VERSION' => 1, 'PKG_CHECK_MODULES' => 1, - 'm4_include' => 1, - '_AM_SUBST_NOTMAKE' => 1, - '_m4_warn' => 1, - 'AM_CONDITIONAL' => 1, - 'm4_pattern_allow' => 1, - 'AM_MAKE_INCLUDE' => 1, - 'include' => 1, - '_AM_CONFIG_MACRO_DIRS' => 1, - 'AC_DEFUN_ONCE' => 1, - '_AM_DEPENDENCIES' => 1, - 'AM_DEP_TRACK' => 1, - 'AM_RUN_LOG' => 1, 'AM_AUX_DIR_EXPAND' => 1, - '_AM_MANGLE_OPTION' => 1, - 'AC_LIBCAP' => 1, - 'AM_SANITY_CHECK' => 1, + 'AC_DEFUN_ONCE' => 1, + 'AM_CONDITIONAL' => 1, 'AM_OUTPUT_DEPENDENCY_COMMANDS' => 1, - 'AM_AUTOMAKE_VERSION' => 1 + '_AM_MANGLE_OPTION' => 1, + 'AM_SET_LEADING_DOT' => 1, + 'PKG_CHECK_EXISTS' => 1, + 'AC_CONFIG_MACRO_DIR_TRACE' => 1, + '_AM_OUTPUT_DEPENDENCY_COMMANDS' => 1, + '_AM_IF_OPTION' => 1 } ], 'Autom4te::Request' ), bless( [ @@ -103,66 +103,66 @@ 'configure.ac' ], { - 'm4_include' => 1, - '_AM_SUBST_NOTMAKE' => 1, - 'AM_EXTRA_RECURSIVE_TARGETS' => 1, - 'AM_PROG_FC_C_O' => 1, - 'sinclude' => 1, - 'AC_FC_PP_DEFINE' => 1, + 'AM_PROG_CXX_C_O' => 1, 'AM_CONDITIONAL' => 1, - 'm4_pattern_allow' => 1, - 'AC_INIT' => 1, - '_m4_warn' => 1, - 'AC_FC_PP_SRCEXT' => 1, - 'AC_CONFIG_FILES' => 1, - '_LT_AC_TAGCONFIG' => 1, - 'AC_CONFIG_LIBOBJ_DIR' => 1, + 'AC_FC_SRCEXT' => 1, + 'AC_CANONICAL_SYSTEM' => 1, + 'AC_PROG_LIBTOOL' => 1, + 'LT_CONFIG_LTDL_DIR' => 1, + 'AC_LIBSOURCE' => 1, 'AM_PROG_MKDIR_P' => 1, + 'AM_PROG_F77_C_O' => 1, + 'LT_SUPPORTED_TAG' => 1, 'm4_sinclude' => 1, - 'AM_SILENT_RULES' => 1, - 'AM_PROG_AR' => 1, + 'AC_CANONICAL_TARGET' => 1, + 'AM_PROG_MOC' => 1, + '_AM_COND_ENDIF' => 1, 'AC_CANONICAL_BUILD' => 1, - 'AC_REQUIRE_AUX_FILE' => 1, - 'AM_MAINTAINER_MODE' => 1, + '_m4_warn' => 1, + 'AC_DEFINE_TRACE_LITERAL' => 1, + 'AM_PROG_AR' => 1, + 'AC_INIT' => 1, 'AC_SUBST' => 1, - 'AM_PATH_GUILE' => 1, - 'AM_PROG_F77_C_O' => 1, - 'AM_GNU_GETTEXT_INTL_SUBDIR' => 1, - 'AM_AUTOMAKE_VERSION' => 1, - 'AM_PROG_CXX_C_O' => 1, + 'AM_MAINTAINER_MODE' => 1, + 'AC_CONFIG_SUBDIRS' => 1, + 'm4_pattern_forbid' => 1, + '_AM_SUBST_NOTMAKE' => 1, + 'include' => 1, + 'AM_PROG_CC_C_O' => 1, + 'AC_FC_PP_SRCEXT' => 1, 'AM_MAKEFILE_INCLUDE' => 1, - 'AC_LIBSOURCE' => 1, - 'AM_POT_TOOLS' => 1, - 'AC_DEFINE_TRACE_LITERAL' => 1, - 'AC_SUBST_TRACE' => 1, 'AC_CONFIG_AUX_DIR' => 1, - 'LT_CONFIG_LTDL_DIR' => 1, - 'include' => 1, - 'AM_ENABLE_MULTILIB' => 1, - 'LT_SUPPORTED_TAG' => 1, - 'AH_OUTPUT' => 1, - 'AC_FC_FREEFORM' => 1, - '_AM_COND_ENDIF' => 1, - '_AM_MAKEFILE_INCLUDE' => 1, - 'AC_CANONICAL_TARGET' => 1, + 'm4_pattern_allow' => 1, + 'AM_PROG_FC_C_O' => 1, + 'AM_AUTOMAKE_VERSION' => 1, + 'AC_CANONICAL_HOST' => 1, + 'AC_REQUIRE_AUX_FILE' => 1, + 'AM_INIT_AUTOMAKE' => 1, + 'AM_PATH_GUILE' => 1, 'AC_CONFIG_LINKS' => 1, + 'AC_FC_FREEFORM' => 1, + 'AC_CONFIG_LIBOBJ_DIR' => 1, + 'AC_CONFIG_HEADERS' => 1, 'AM_GNU_GETTEXT' => 1, - 'AC_CONFIG_SUBDIRS' => 1, - '_AM_COND_IF' => 1, - 'AM_PROG_LIBTOOL' => 1, - 'AM_XGETTEXT_OPTION' => 1, - 'AM_PROG_MOC' => 1, - 'AC_CANONICAL_SYSTEM' => 1, 'AM_NLS' => 1, + 'sinclude' => 1, '_AM_COND_ELSE' => 1, - 'AC_PROG_LIBTOOL' => 1, - 'AC_CANONICAL_HOST' => 1, + 'AC_SUBST_TRACE' => 1, + 'AM_SILENT_RULES' => 1, + 'AM_PROG_LIBTOOL' => 1, + 'AM_POT_TOOLS' => 1, + 'AM_XGETTEXT_OPTION' => 1, + '_AM_MAKEFILE_INCLUDE' => 1, + 'AH_OUTPUT' => 1, + 'AM_ENABLE_MULTILIB' => 1, + 'AM_GNU_GETTEXT_INTL_SUBDIR' => 1, + 'm4_include' => 1, + 'AC_CONFIG_FILES' => 1, + 'AM_EXTRA_RECURSIVE_TARGETS' => 1, 'LT_INIT' => 1, - 'm4_pattern_forbid' => 1, - 'AC_CONFIG_HEADERS' => 1, - 'AC_FC_SRCEXT' => 1, - 'AM_PROG_CC_C_O' => 1, - 'AM_INIT_AUTOMAKE' => 1 + 'AC_FC_PP_DEFINE' => 1, + '_AM_COND_IF' => 1, + '_LT_AC_TAGCONFIG' => 1 } ], 'Autom4te::Request' ) ); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cifs-utils-6.12/autom4te.cache/traces.1 new/cifs-utils-6.13/autom4te.cache/traces.1 --- old/cifs-utils-6.12/autom4te.cache/traces.1 2020-12-31 19:48:33.000000000 +0100 +++ new/cifs-utils-6.13/autom4te.cache/traces.1 2021-04-13 01:59:33.000000000 +0200 @@ -1,6 +1,6 @@ m4trace:aclocal.m4:1429: -1- m4_include([aclocal/idmap.m4]) m4trace:aclocal.m4:1430: -1- m4_include([aclocal/libcap.m4]) -m4trace:configure.ac:4: -1- AC_INIT([cifs-utils], [6.12], [linux-c...@vger.kernel.org], [cifs-utils], [https://wiki.samba.org/index.php/LinuxCIFS_utils]) +m4trace:configure.ac:4: -1- AC_INIT([cifs-utils], [6.13], [linux-c...@vger.kernel.org], [cifs-utils], [https://wiki.samba.org/index.php/LinuxCIFS_utils]) m4trace:configure.ac:4: -1- m4_pattern_forbid([^_?A[CHUM]_]) m4trace:configure.ac:4: -1- m4_pattern_forbid([_AC_]) m4trace:configure.ac:4: -1- m4_pattern_forbid([^LIBOBJS$], [do not use LIBOBJS directly, use AC_LIBOBJ (see section `AC_LIBOBJ vs LIBOBJS']) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cifs-utils-6.12/cifs.upcall.c new/cifs-utils-6.13/cifs.upcall.c --- old/cifs-utils-6.12/cifs.upcall.c 2020-12-31 19:26:10.000000000 +0100 +++ new/cifs-utils-6.13/cifs.upcall.c 2021-04-13 01:34:48.000000000 +0200 @@ -51,6 +51,7 @@ #include <grp.h> #include <stdbool.h> #include <errno.h> +#include <sched.h> #include "data_blob.h" #include "spnego.h" @@ -240,6 +241,164 @@ return credtime; } +static struct namespace_file { + int nstype; + const char *name; + int fd; +} namespace_files[] = { + +#ifdef CLONE_NEWCGROUP + { CLONE_NEWCGROUP, "cgroup", -1 }, +#endif + +#ifdef CLONE_NEWIPC + { CLONE_NEWIPC, "ipc", -1 }, +#endif + +#ifdef CLONE_NEWUTS + { CLONE_NEWUTS, "uts", -1 }, +#endif + +#ifdef CLONE_NEWNET + { CLONE_NEWNET, "net", -1 }, +#endif + +#ifdef CLONE_NEWPID + { CLONE_NEWPID, "pid", -1 }, +#endif + +#ifdef CLONE_NEWTIME + { CLONE_NEWTIME, "time", -1 }, +#endif + +#ifdef CLONE_NEWNS + { CLONE_NEWNS, "mnt", -1 }, +#endif + +#ifdef CLONE_NEWUSER + { CLONE_NEWUSER, "user", -1 }, +#endif +}; + +#define NS_PATH_FMT "/proc/%d/ns/%s" +#define NS_PATH_MAXLEN (6 + 10 + 4 + 6 + 1) + +/** + * in_same_user_ns - return true if two processes are in the same user + * namespace. + * @pid_a: the pid of the first process + * @pid_b: the pid of the second process + * + * Works by comparing the inode numbers for /proc/<pid>/user. + */ +static int +in_same_user_ns(pid_t pid_a, pid_t pid_b) +{ + char path[NS_PATH_MAXLEN]; + ino_t a_ino, b_ino; + struct stat st; + + snprintf(path, sizeof(path), NS_PATH_FMT, pid_a, "user"); + if (stat(path, &st) != 0) + return 0; + a_ino = st.st_ino; + + snprintf(path, sizeof(path), NS_PATH_FMT, pid_b, "user"); + if (stat(path, &st) != 0) + return 0; + b_ino = st.st_ino; + + return a_ino == b_ino; +} + +/** + * switch_to_process_ns - change the namespace to the one for the specified + * process. + * @pid: initiating pid value from the upcall string + * + * Uses setns() to switch process namespace. + * This ensures that we have the same access and configuration as the + * process that triggered the lookup. + */ +static int +switch_to_process_ns(pid_t pid) +{ + int count = sizeof(namespace_files) / sizeof(struct namespace_file); + int n, err = 0; + int rc = 0; + + /* First, open all the namespace fds. We do this first because + the namespace changes might prohibit us from opening them. */ + for (n = 0; n < count; ++n) { + char nspath[NS_PATH_MAXLEN]; + int ret, fd; + +#ifdef CLONE_NEWUSER + if (namespace_files[n].nstype == CLONE_NEWUSER + && in_same_user_ns(getpid(), pid)) { + /* Switching to the same user namespace is forbidden, + because switching to a user namespace grants all + capabilities in that namespace regardless of uid. */ + namespace_files[n].fd = -1; + continue; + } +#endif + + ret = snprintf(nspath, NS_PATH_MAXLEN, NS_PATH_FMT, + pid, namespace_files[n].name); + if (ret >= NS_PATH_MAXLEN) { + syslog(LOG_DEBUG, "%s: unterminated path!\n", __func__); + err = ENAMETOOLONG; + rc = -1; + goto out; + } + + fd = open(nspath, O_RDONLY); + if (fd < 0 && errno != ENOENT) { + /* + * don't stop on non-existing ns + * but stop for other errors + */ + err = errno; + rc = -1; + goto out; + } + + namespace_files[n].fd = fd; + } + + /* Next, call setns for each of them */ + for (n = 0; n < count; ++n) { + /* skip non-existing ns */ + if (namespace_files[n].fd < 0) + continue; + + rc = setns(namespace_files[n].fd, namespace_files[n].nstype); + + if (rc < 0) { + syslog(LOG_DEBUG, "%s: setns() failed for %s\n", + __func__, namespace_files[n].name); + err = errno; + goto out; + } + } + +out: + /* Finally, close all the fds */ + for (n = 0; n < count; ++n) { + if (namespace_files[n].fd != -1) { + close(namespace_files[n].fd); + namespace_files[n].fd = -1; + } + } + + if (rc != 0) { + errno = err; + } + + return rc; +} + #define ENV_PATH_FMT "/proc/%d/environ" #define ENV_PATH_MAXLEN (6 + 10 + 8 + 1) @@ -1109,6 +1268,19 @@ env_cachename = get_cachename_from_process_env(env_probe ? arg.pid : 0); + /* + * Change to the process's namespace. This means that things will work + * acceptably in containers, because we'll be looking at the correct + * filesystem and have the correct network configuration. + */ + rc = switch_to_process_ns(arg.pid); + if (rc == -1) { + syslog(LOG_ERR, "unable to switch to process namespace: %s", + strerror(errno)); + rc = 1; + goto out; + } + rc = setuid(uid); if (rc == -1) { syslog(LOG_ERR, "setuid: %s", strerror(errno)); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cifs-utils-6.12/configure new/cifs-utils-6.13/configure --- old/cifs-utils-6.12/configure 2020-12-31 19:48:32.000000000 +0100 +++ new/cifs-utils-6.13/configure 2021-04-13 01:59:31.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for cifs-utils 6.12. +# Generated by GNU Autoconf 2.69 for cifs-utils 6.13. # # Report bugs to <linux-c...@vger.kernel.org>. # @@ -580,8 +580,8 @@ # Identity of this package. PACKAGE_NAME='cifs-utils' PACKAGE_TARNAME='cifs-utils' -PACKAGE_VERSION='6.12' -PACKAGE_STRING='cifs-utils 6.12' +PACKAGE_VERSION='6.13' +PACKAGE_STRING='cifs-utils 6.13' PACKAGE_BUGREPORT='linux-c...@vger.kernel.org' PACKAGE_URL='https://wiki.samba.org/index.php/LinuxCIFS_utils' @@ -1338,7 +1338,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures cifs-utils 6.12 to adapt to many kinds of systems. +\`configure' configures cifs-utils 6.13 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1409,7 +1409,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of cifs-utils 6.12:";; + short | recursive ) echo "Configuration of cifs-utils 6.13:";; esac cat <<\_ACEOF @@ -1537,7 +1537,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -cifs-utils configure 6.12 +cifs-utils configure 6.13 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2006,7 +2006,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by cifs-utils $as_me 6.12, which was +It was created by cifs-utils $as_me 6.13, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2876,7 +2876,7 @@ # Define the identity of the package. PACKAGE='cifs-utils' - VERSION='6.12' + VERSION='6.13' cat >>confdefs.h <<_ACEOF @@ -6837,7 +6837,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by cifs-utils $as_me 6.12, which was +This file was extended by cifs-utils $as_me 6.13, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -6904,7 +6904,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -cifs-utils config.status 6.12 +cifs-utils config.status 6.13 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/cifs-utils-6.12/configure.ac new/cifs-utils-6.13/configure.ac --- old/cifs-utils-6.12/configure.ac 2020-12-31 19:26:10.000000000 +0100 +++ new/cifs-utils-6.13/configure.ac 2021-04-13 01:34:48.000000000 +0200 @@ -1,7 +1,7 @@ # -*- Autoconf -*- # Process this file with autoconf to produce a configure script. -AC_INIT([cifs-utils],[6.12],[linux-c...@vger.kernel.org],[cifs-utils],[https://wiki.samba.org/index.php/LinuxCIFS_utils]) +AC_INIT([cifs-utils],[6.13],[linux-c...@vger.kernel.org],[cifs-utils],[https://wiki.samba.org/index.php/LinuxCIFS_utils]) AC_CONFIG_SRCDIR([data_blob.h]) AC_CONFIG_HEADERS([config.h]) AC_CONFIG_FILES([Makefile contrib/Makefile contrib/request-key.d/Makefile])