Message ID | 49B64C89.10407@suse.de (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
On Tue, Mar 10, 2009 at 6:18 AM, Suresh Jayaraman <sjayaraman@suse.de> wrote: > Currently, /proc/mounts does not display security mode of the cifs > mounts. With the availability multiple security modes including > kerberos security, it might be vital to display security mode as well. The actual security used is not per superblock but per session, and it would be misleading to leave out the global settings for extended security flags. The actual security flags that are used during negotiation are the default flags (set in proc) and flags which are overridden on mount See below: /* if any of auth flags (ie not sign or seal) are overriden use them */ if (ses->overrideSecFlg & (~(CIFSSEC_MUST_SIGN | CIFSSEC_MUST_SEAL))) secFlags = ses->overrideSecFlg; /* BB FIXME fix sign flags? */ else /* if override flags set only sign/seal OR them with global auth */ secFlags = extended_security | ses->overrideSecFlg; But these security flags don't tell us which mechanism finally ended up negotiated with the server - for this you need secType and secMode out of the session structure to be displayed instead of a per-mount new variable. We do display secMode in /proc (which indicates whether signing is required) but might be useful to display this more clearly, and it would be useful to display secType (which indicates what authentication mechanism was negotiated)
diff --git a/fs/cifs/cifs_fs_sb.h b/fs/cifs/cifs_fs_sb.h index c4c306f..08b525a 100644 --- a/fs/cifs/cifs_fs_sb.h +++ b/fs/cifs/cifs_fs_sb.h @@ -39,6 +39,7 @@ struct cifs_sb_info { struct nls_table *local_nls; unsigned int rsize; unsigned int wsize; + unsigned int sec_flag; uid_t mnt_uid; gid_t mnt_gid; mode_t mnt_file_mode; diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c index 13ea532..9c48c46 100644 --- a/fs/cifs/cifsfs.c +++ b/fs/cifs/cifsfs.c @@ -331,6 +331,33 @@ cifs_destroy_inode(struct inode *inode) } /* + * Map the security flags to the corresponding mode + */ +static const char *secflags_to_mode(unsigned int secflag) +{ + static const struct { + unsigned int flag; + const char *mode; + } sec_modes[] = { + { CIFSSEC_MAY_KRB5 | CIFSSEC_MUST_SIGN, "krb5i"}, + { CIFSSEC_MAY_KRB5, "krb5"}, + { CIFSSEC_MAY_NTLMV2 | CIFSSEC_MUST_SIGN, "ntlmv2i"}, + { CIFSSEC_MAY_NTLMV2, "ntlmv2"}, + { CIFSSEC_MAY_NTLM | CIFSSEC_MUST_SIGN, "ntlm"}, + { CIFSSEC_MAY_NTLM, "ntlm"}, + { CIFSSEC_MAY_LANMAN, "lanman"} + }; + int i; + + for (i = 0; i < ARRAY_SIZE(sec_modes); i++) { + if (sec_modes[i].flag == secflag) + break; + } + + return sec_modes[i].mode; +} + +/* * cifs_show_options() is for displaying mount options in /proc/mounts. * Not all settable options are displayed but most of the important * ones are. @@ -411,6 +438,11 @@ cifs_show_options(struct seq_file *s, struct vfsmount *m) seq_printf(s, ",cifsacl"); if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_DYNPERM) seq_printf(s, ",dynperm"); + if (cifs_sb->sec_flag) + seq_printf(s, ",sec=%s", + secflags_to_mode(cifs_sb->sec_flag)); + else + seq_printf(s, ",sec=none"); if (m->mnt_sb->s_flags & MS_POSIXACL) seq_printf(s, ",acl"); diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index da0f4ff..23e628e 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -2174,6 +2174,11 @@ static void setup_cifs_sb(struct smb_vol *pvolume_info, cFYI(1, ("mounting share using direct i/o")); cifs_sb->mnt_cifs_flags |= CIFS_MOUNT_DIRECT_IO; } + /* sec flags */ + if (pvolume_info->nullauth) + cifs_sb->sec_flag = 0; + else + cifs_sb->sec_flag = pvolume_info->secFlg; if ((pvolume_info->cifs_acl) && (pvolume_info->dynperm))
Currently, /proc/mounts does not display security mode of the cifs mounts. With the availability multiple security modes including kerberos security, it might be vital to display security mode as well. Signed-off-by: Suresh Jayaraman <sjayaraman@suse.de> --- fs/cifs/cifs_fs_sb.h | 1 + fs/cifs/cifsfs.c | 32 ++++++++++++++++++++++++++++++++ fs/cifs/connect.c | 5 +++++ 3 files changed, 38 insertions(+), 0 deletions(-) cERROR(1, ("mount option dynperm ignored if cifsacl "