mirror of
https://github.com/systemd/systemd
synced 2024-10-15 12:34:37 +00:00
homework-cifs: Pass password via fd
Pass the password into mount.cifs via a file descriptor, rather than putting it into a plain-text file in /tmp. This uses the $PASSWD_FD environment variable, which is undocumented but has existed since forever (initial commit from 2010 [1] has it already) [1]: https://git.samba.org/?p=cifs-utils.git;a=blob;f=mount.cifs.c;hb=ce0b1609a9eedce6c5eb20eab287ea44217c0a6a#l1477
This commit is contained in:
parent
58d061b5aa
commit
606a1f203c
|
@ -5,6 +5,7 @@
|
|||
#include <linux/fs.h>
|
||||
#endif
|
||||
|
||||
#include "data-fd-util.h"
|
||||
#include "dirent-util.h"
|
||||
#include "fd-util.h"
|
||||
#include "fileio.h"
|
||||
|
@ -24,7 +25,7 @@ int home_setup_cifs(
|
|||
HomeSetupFlags flags,
|
||||
HomeSetup *setup) {
|
||||
|
||||
_cleanup_free_ char *chost = NULL, *cservice = NULL, *cdir = NULL, *chost_and_service = NULL, *j = NULL;
|
||||
_cleanup_free_ char *chost = NULL, *cservice = NULL, *cdir = NULL, *chost_and_service = NULL, *j = NULL, *options = NULL;
|
||||
int r;
|
||||
|
||||
assert(h);
|
||||
|
@ -53,49 +54,50 @@ int home_setup_cifs(
|
|||
if (!chost_and_service)
|
||||
return log_oom();
|
||||
|
||||
if (asprintf(&options, "user=%s,uid=" UID_FMT ",forceuid,gid=" GID_FMT ",forcegid,file_mode=0%3o,dir_mode=0%3o",
|
||||
user_record_cifs_user_name(h), h->uid, user_record_gid(h), user_record_access_mode(h),
|
||||
user_record_access_mode(h)) < 0)
|
||||
return log_oom();
|
||||
|
||||
if (h->cifs_domain)
|
||||
if (strextendf_with_separator(&options, ",", "domain=%s", h->cifs_domain) < 0)
|
||||
return log_oom();
|
||||
|
||||
if (h->cifs_extra_mount_options)
|
||||
if (!strextend_with_separator(&options, ",", h->cifs_extra_mount_options))
|
||||
return log_oom();
|
||||
|
||||
r = home_unshare_and_mkdir();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
STRV_FOREACH(pw, h->password) {
|
||||
_cleanup_(unlink_and_freep) char *p = NULL;
|
||||
_cleanup_free_ char *options = NULL;
|
||||
_cleanup_fclose_ FILE *f = NULL;
|
||||
_cleanup_close_ int passwd_fd = -EBADF;
|
||||
pid_t mount_pid;
|
||||
int exit_status;
|
||||
|
||||
r = fopen_temporary_child(NULL, &f, &p);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to create temporary credentials file: %m");
|
||||
|
||||
fprintf(f,
|
||||
"username=%s\n"
|
||||
"password=%s\n",
|
||||
user_record_cifs_user_name(h),
|
||||
*pw);
|
||||
|
||||
if (h->cifs_domain)
|
||||
fprintf(f, "domain=%s\n", h->cifs_domain);
|
||||
|
||||
r = fflush_and_check(f);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to write temporary credentials file: %m");
|
||||
|
||||
f = safe_fclose(f);
|
||||
|
||||
if (asprintf(&options, "credentials=%s,uid=" UID_FMT ",forceuid,gid=" GID_FMT ",forcegid,file_mode=0%3o,dir_mode=0%3o",
|
||||
p, h->uid, user_record_gid(h), user_record_access_mode(h), user_record_access_mode(h)) < 0)
|
||||
return log_oom();
|
||||
|
||||
if (h->cifs_extra_mount_options)
|
||||
if (!strextend_with_separator(&options, ",", h->cifs_extra_mount_options))
|
||||
return log_oom();
|
||||
passwd_fd = acquire_data_fd(*pw, strlen(*pw), /* flags= */ 0);
|
||||
if (passwd_fd < 0)
|
||||
return log_error_errno(passwd_fd, "Failed to create data FD for password: %m");
|
||||
|
||||
r = safe_fork("(mount)", FORK_RESET_SIGNALS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG_SIGTERM|FORK_LOG|FORK_STDOUT_TO_STDERR, &mount_pid);
|
||||
if (r < 0)
|
||||
return r;
|
||||
if (r == 0) {
|
||||
/* Child */
|
||||
|
||||
r = fd_cloexec(passwd_fd, false);
|
||||
if (r < 0) {
|
||||
log_error_errno(r, "Failed to disable CLOEXEC on password FD: %m");
|
||||
_exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
r = setenvf("PASSWD_FD", /* overwrite= */ true, "%d", passwd_fd);
|
||||
if (r < 0) {
|
||||
log_error_errno(errno, "Failed to set $PASSWD_FD: %m");
|
||||
_exit(EXIT_FAILURE);
|
||||
}
|
||||
|
||||
execl("/bin/mount", "/bin/mount", "-n", "-t", "cifs",
|
||||
chost_and_service, HOME_RUNTIME_WORK_DIR,
|
||||
"-o", options, NULL);
|
||||
|
|
Loading…
Reference in a new issue