diff mbox series

cifs: fix setting SecurityFlags to true

Message ID CAH2r5mv2V3vdupgmR75WsNGrfdbaPo0Mw+6x82KK9vgUYu5AkQ@mail.gmail.com
State New
Headers show
Series cifs: fix setting SecurityFlags to true | expand

Commit Message

Steve French July 9, 2024, 11:45 p.m. UTC 
If you try to set /proc/fs/cifs/SecurityFlags to 1 it
will set them to CIFSSEC_MUST_NTLMV2 which is obsolete and no
longer checked, and will cause mount to fail, so change this
to set it to a more understandable default (ie include Kerberos
as well).

Also change the description of the SecurityFlags to remove mention
of various flags which are no longer supported (due to removal
of weak security such as lanman and ntlmv1).

Comments

Steve French July 11, 2024, 3:40 p.m. UTC | #1 
V2 of patch

    If you try to set /proc/fs/cifs/SecurityFlags to 1 it
    will set them to CIFSSEC_MUST_NTLMV2 which no longer is
    relevant (the less secure ones like lanman have been removed
    from cifs.ko) and is also missing some flags (like for
    signing and encryption) and can even cause mount to fail,
    so change this to set it to Kerberos in this case.

    Also change the description of the SecurityFlags to remove mention
    of flags which are no longer supported.

On Tue, Jul 9, 2024 at 6:45 PM Steve French <smfrench@gmail.com> wrote:
>
> If you try to set /proc/fs/cifs/SecurityFlags to 1 it
> will set them to CIFSSEC_MUST_NTLMV2 which is obsolete and no
> longer checked, and will cause mount to fail, so change this
> to set it to a more understandable default (ie include Kerberos
> as well).
>
> Also change the description of the SecurityFlags to remove mention
> of various flags which are no longer supported (due to removal
> of weak security such as lanman and ntlmv1).
>
>
>
> --
> Thanks,
>
> Steve
Shyam Prasad N July 13, 2024, 5:48 a.m. UTC | #2 
On Thu, Jul 11, 2024 at 9:12 PM Steve French <smfrench@gmail.com> wrote:
>
> V2 of patch
>
>     If you try to set /proc/fs/cifs/SecurityFlags to 1 it
>     will set them to CIFSSEC_MUST_NTLMV2 which no longer is
>     relevant (the less secure ones like lanman have been removed
>     from cifs.ko) and is also missing some flags (like for
>     signing and encryption) and can even cause mount to fail,
>     so change this to set it to Kerberos in this case.
>
>     Also change the description of the SecurityFlags to remove mention
>     of flags which are no longer supported.
>
> On Tue, Jul 9, 2024 at 6:45 PM Steve French <smfrench@gmail.com> wrote:
> >
> > If you try to set /proc/fs/cifs/SecurityFlags to 1 it
> > will set them to CIFSSEC_MUST_NTLMV2 which is obsolete and no
> > longer checked, and will cause mount to fail, so change this
> > to set it to a more understandable default (ie include Kerberos
> > as well).
> >
> > Also change the description of the SecurityFlags to remove mention
> > of various flags which are no longer supported (due to removal
> > of weak security such as lanman and ntlmv1).
> >
> >
> >
> > --
> > Thanks,
> >
> > Steve
>
>
>
> --
> Thanks,
>
> Steve

Looks good to me.
diff mbox series

Patch

From e8e82087796327a140f3542825f4ddeb7fd0dfb0 Mon Sep 17 00:00:00 2001
From: Steve French <stfrench@microsoft.com>
Date: Tue, 9 Jul 2024 18:07:35 -0500
Subject: [PATCH] cifs: fix setting SecurityFlags to true

If you try to set /proc/fs/cifs/SecurityFlags to 1 it
will set them to CIFSSEC_MUST_NTLMV2 which is obsolete and no
longer checked, and will cause mount to fail, so change this
to set it to a more understandable default (ie include Kerberos
as well).

Also change the description of the SecurityFlags to remove mention
of flags which are no longer supported.

Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
---
 Documentation/admin-guide/cifs/usage.rst | 36 ++++++++----------------
 fs/smb/client/cifsglob.h                 |  4 +--
 2 files changed, 13 insertions(+), 27 deletions(-)

diff --git a/Documentation/admin-guide/cifs/usage.rst b/Documentation/admin-guide/cifs/usage.rst
index aa8290a29dc8..fd4b56c0996f 100644
--- a/Documentation/admin-guide/cifs/usage.rst
+++ b/Documentation/admin-guide/cifs/usage.rst
@@ -723,40 +723,26 @@  Configuration pseudo-files:
 ======================= =======================================================
 SecurityFlags		Flags which control security negotiation and
 			also packet signing. Authentication (may/must)
-			flags (e.g. for NTLM and/or NTLMv2) may be combined with
+			flags (e.g. for NTLMv2) may be combined with
 			the signing flags.  Specifying two different password
 			hashing mechanisms (as "must use") on the other hand
 			does not make much sense. Default flags are::
 
-				0x07007
-
-			(NTLM, NTLMv2 and packet signing allowed).  The maximum
-			allowable flags if you want to allow mounts to servers
-			using weaker password hashes is 0x37037 (lanman,
-			plaintext, ntlm, ntlmv2, signing allowed).  Some
-			SecurityFlags require the corresponding menuconfig
-			options to be enabled.  Enabling plaintext
-			authentication currently requires also enabling
-			lanman authentication in the security flags
-			because the cifs module only supports sending
-			laintext passwords using the older lanman dialect
-			form of the session setup SMB.  (e.g. for authentication
-			using plain text passwords, set the SecurityFlags
-			to 0x30030)::
+				0x00C5
+
+			(NTLMv2 and packet signing allowed).  Some SecurityFlags
+			may require enabling a corresponding menuconfig option.
 
 			  may use packet signing			0x00001
 			  must use packet signing			0x01001
-			  may use NTLM (most common password hash)	0x00002
-			  must use NTLM					0x02002
 			  may use NTLMv2				0x00004
 			  must use NTLMv2				0x04004
-			  may use Kerberos security			0x00008
-			  must use Kerberos				0x08008
-			  may use lanman (weak) password hash		0x00010
-			  must use lanman password hash			0x10010
-			  may use plaintext passwords			0x00020
-			  must use plaintext passwords			0x20020
-			  (reserved for future packet encryption)	0x00040
+			  may use Kerberos security (krb5)		0x00008
+			  must use Kerberos                             0x08008
+			  may use NTLMSSP               		0x00080
+			  must use NTLMSSP           			0x80080
+			  seal (packet encryption)			0x00040
+			  must seal (not implemented yet)               0x40040
 
 cifsFYI			If set to non-zero value, additional debug information
 			will be logged to the system error log.  This field
diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h
index 557b68e99d0a..fcfcb8429d32 100644
--- a/fs/smb/client/cifsglob.h
+++ b/fs/smb/client/cifsglob.h
@@ -1918,8 +1918,8 @@  require use of the stronger protocol */
 #define   CIFSSEC_MUST_SEAL	0x40040 /* not supported yet */
 #define   CIFSSEC_MUST_NTLMSSP	0x80080 /* raw ntlmssp with ntlmv2 */
 
-#define   CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP)
-#define   CIFSSEC_MAX (CIFSSEC_MUST_NTLMV2)
+#define   CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP | CIFSSEC_MAY_SIGN | CIFSSEC_MAY_SEAL)
+#define   CIFSSEC_MAX (CIFSSEC_MAY_KRB5 | CIFSSEC_DEF)
 #define   CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP)
 /*
  *****************************************************************
-- 
2.43.0