The branch, master has been updated via 18e08c70900 docs: Avoid duplicate information on USER and PASSWD, reference the common section via 9b50d2e52e6 docs: Document all the other ways to send a password to smbclient et al via a363742635c docs: Ensure to rebuild manpages if samba.entities or samba.version changes from 867c6ff9f3f docs-xml: use upper case for "{client,server} smb3 {signing,encryption} algorithms" values
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 18e08c709002506fe217ca6a7a098fcdc00f8c29 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Aug 10 09:20:45 2021 +1200 docs: Avoid duplicate information on USER and PASSWD, reference the common section BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Thu Sep 9 00:52:09 UTC 2021 on sn-devel-184 commit 9b50d2e52e6c85bc3ab991cd8a4b870aff397bda Author: Andrew Bartlett <abart...@samba.org> Date: Tue Aug 10 09:14:08 2021 +1200 docs: Document all the other ways to send a password to smbclient et al This was previously hidden knowlege not easily available to administrators and end users. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> commit a363742635c54a6cb19363f4be9d2be2b731a5e6 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Aug 10 09:13:15 2021 +1200 docs: Ensure to rebuild manpages if samba.entities or samba.version changes BUG: https://bugzilla.samba.org/show_bug.cgi?id=14791 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> ----------------------------------------------------------------------- Summary of changes: buildtools/wafsamba/wafsamba.py | 6 ++++- docs-xml/build/DTD/samba.entities | 52 ++++++++++++++++++++++++++++++--------- docs-xml/manpages/smbclient.1.xml | 14 +++-------- 3 files changed, 50 insertions(+), 22 deletions(-) Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/wafsamba.py b/buildtools/wafsamba/wafsamba.py index dee007bf84e..865975cb2d1 100644 --- a/buildtools/wafsamba/wafsamba.py +++ b/buildtools/wafsamba/wafsamba.py @@ -946,9 +946,13 @@ def SAMBAMANPAGES(bld, manpages, extra_source=None): bld.env.SAMBA_CATALOGS = 'file:///etc/xml/catalog file:///usr/local/share/xml/catalog file://' + bld.env.SAMBA_CATALOG for m in manpages.split(): - source = m + '.xml' + source = [m + '.xml'] if extra_source is not None: source = [source, extra_source] + # ${SRC[1]} and ${SRC[2]} are not referenced in the + # SAMBA_GENERATOR but trigger the dependency calculation so + # ensures that manpages are rebuilt when these change. + source += ['build/DTD/samba.entities', 'build/DTD/samba.build.version'] bld.SAMBA_GENERATOR(m, source=source, target=m, diff --git a/docs-xml/build/DTD/samba.entities b/docs-xml/build/DTD/samba.entities index 80e051e7684..beff3cb1f6e 100644 --- a/docs-xml/build/DTD/samba.entities +++ b/docs-xml/build/DTD/samba.entities @@ -595,13 +595,16 @@ </para> <para> - If &pct;password is not specified, the user will be + If &pct;PASSWORD is not specified, the user will be prompted. The client will first check the - <envar>USER</envar> environment variable, then the - <envar>LOGNAME</envar> variable and if either exists, - the string is uppercased. If these environmental + <envar>USER</envar> environment variable + (which is also permitted to also contain the + password seperated by a &pct;), then the + <envar>LOGNAME</envar> variable (which is not + permitted to contain a password) and if either exists, + the value is used. If these environmental variables are not found, the username - <constant>GUEST</constant> is used. + found in a Kerberos Credentials cache may be used. </para> <para> @@ -616,9 +619,15 @@ </para> <para> - Be cautious about including passwords in scripts. For - security it is better to let the client ask for the - password if needed. + Be cautious about including passwords in scripts + or passing user-supplied values onto the command line. For + security it is better to let the Samba client tool ask for the + password if needed, or obtain the password once with <command>kinit</command>. + </para> + <para> + While Samba will attempt to scrub the password + from the process title (as seen in ps), this + is after startup and so is subject to a race. </para> </listitem> </varlistentry> @@ -659,10 +668,31 @@ Specify the password on the commandline. </para> + <para> Be cautious about including passwords in + scripts or passing user-supplied values onto + the command line. For security it is better to + let the Samba client tool ask for the password + if needed, or obtain the password once with + <command>kinit</command>. + </para> + + <para> If --password is not specified, + the tool will check the <envar>PASSWD</envar> + environment variable, followed by <envar>PASSWD_FD</envar> + which is expected to contain an open + file descriptor (FD) number. + </para> + <para> + Finally it will check <envar>PASSWD_FILE</envar> (containing + a file path to be opened). The file should only + contain the password. Make certain that the + permissions on the file restrict + access from unwanted users! + </para> <para> - Be cautious about including passwords in scripts. For - security it is better to let the client ask for the - password if needed. + While Samba will attempt to scrub the password + from the process title (as seen in ps), this + is after startup and so is subject to a race. </para> </listitem> </varlistentry> diff --git a/docs-xml/manpages/smbclient.1.xml b/docs-xml/manpages/smbclient.1.xml index 0de5b8a0e00..48ba59525d6 100644 --- a/docs-xml/manpages/smbclient.1.xml +++ b/docs-xml/manpages/smbclient.1.xml @@ -1193,16 +1193,10 @@ <refsect1> <title>ENVIRONMENT VARIABLES</title> - <para>The variable <envar>USER</envar> may contain the - username of the person using the client. This information is - used only if the protocol level is high enough to support - session-level passwords.</para> - - - <para>The variable <envar>PASSWD</envar> may contain - the password of the person using the client. This information is - used only if the protocol level is high enough to support - session-level passwords. </para> + <para>See the <command>--user</command> and + <command>--password</command> options for details on ways to + specify a username and password via an environment variable. + </para> </refsect1> -- Samba Shared Repository