1
Description: fix denial of service via stale mtab lockfile
2
Origin: backport, http://git.samba.org/?p=cifs-utils.git;a=commitdiff;h=810f7e4e0f2dbcbee0294d9b371071cb08268200
4
Index: samba-3.4.7~dfsg/source3/client/mount.cifs.c
5
===================================================================
6
--- samba-3.4.7~dfsg.orig/source3/client/mount.cifs.c 2011-09-29 09:21:45.361326382 -0400
7
+++ samba-3.4.7~dfsg/source3/client/mount.cifs.c 2011-09-29 09:25:33.893332232 -0400
14
#define MOUNT_CIFS_VERSION_MAJOR "1"
15
#define MOUNT_CIFS_VERSION_MINOR "12"
19
/* caller frees username if necessary */
20
-static char * getusername(void) {
21
+static char * getusername(uid_t uid) {
22
char *username = NULL;
23
- struct passwd *password = getpwuid(getuid());
24
+ struct passwd *password = getpwuid(uid);
27
username = password->pw_name;
29
const char * ipaddr = NULL;
31
char * mountpoint = NULL;
32
+ char * mount_user = NULL;
33
char * options = NULL;
35
char * resolved_path = NULL;
37
struct sockaddr_in *addr4;
38
struct sockaddr_in6 *addr6;
40
+ sigset_t mask, oldmask;
42
/* setlocale(LC_ALL, "");
43
bindtextdomain(PACKAGE, LOCALEDIR);
46
user_name = strdup(getenv("USER"));
47
if (user_name == NULL)
48
- user_name = getusername();
49
+ user_name = getusername(getuid());
53
@@ -1530,6 +1533,38 @@
60
+ mount_user = getusername(uid);
63
+ * Set the real uid to the effective uid. This prevents unprivileged
64
+ * users from sending signals to this process, though ^c on controlling
65
+ * terminal should still work.
67
+ rc = setreuid(geteuid(), -1);
69
+ fprintf(stderr, "Unable to set real uid to effective uid: %s\n",
75
+ rc = sigfillset(&mask);
77
+ fprintf(stderr, "Unable to set filled signal mask\n");
82
+ rc = sigprocmask(SIG_SETMASK, &mask, &oldmask);
84
+ fprintf(stderr, "Unable to make process ignore signals\n");
93
mountent.mnt_type = CONST_DISCARD(char *,"cifs");
94
mountent.mnt_opts = (char *)malloc(220);
95
if(mountent.mnt_opts) {
96
- char * mount_user = getusername();
97
memset(mountent.mnt_opts,0,200);
99
strlcat(mountent.mnt_opts,"ro",220);
100
@@ -1581,6 +1615,7 @@
101
SAFE_FREE(mountent.mnt_opts);
104
+ sigprocmask(SIG_SETMASK, &oldmask, NULL);
107
int len = strlen(mountpassword);