diff mbox series

[vvv] cifscreds: allow user to set the key's timeout

Message ID 20250124175257.1227916-1-tbecker@redhat.com (mailing list archive)
State New
Headers show
Series [vvv] cifscreds: allow user to set the key's timeout | expand

Commit Message

Thiago Becker Jan. 24, 2025, 5:52 p.m. UTC 
From: Thiago Becker <tbecker@redhat.com>

Allow the user to set the key's timeout when adding a new credential.

Signed-off-by: Thiago Becker <tbecker@redhat.com>
---
 cifscreds.c     | 17 +++++++++++------
 cifscreds.rst   |  4 ++++
 cifskey.c       | 12 ++++++++++--
 cifskey.h       |  7 ++++++-
 pam_cifscreds.c |  4 ++--
 5 files changed, 33 insertions(+), 11 deletions(-)
diff mbox series

Patch

diff --git a/cifscreds.c b/cifscreds.c
index c52f495..f552bc8 100644
--- a/cifscreds.c
+++ b/cifscreds.c
@@ -43,6 +43,7 @@  struct cmdarg {
 	char		*host;
 	char		*user;
 	char		keytype;
+	unsigned int	timeout;
 };
 
 struct command {
@@ -59,7 +60,7 @@  static int cifscreds_update(struct cmdarg *arg);
 static const char *thisprogram;
 
 static struct command commands[] = {
-	{ cifscreds_add,	"add",		"[-u username] [-d] <host|domain>" },
+	{ cifscreds_add,	"add",		"[-u username] [-d] <host|domain> [-t timeout]" },
 	{ cifscreds_clear,	"clear",	"[-u username] [-d] <host|domain>" },
 	{ cifscreds_clearall,	"clearall",	"" },
 	{ cifscreds_update,	"update",	"[-u username] [-d] <host|domain>" },
@@ -69,6 +70,7 @@  static struct command commands[] = {
 static struct option longopts[] = {
 	{"username", 1, NULL, 'u'},
 	{"domain", 0, NULL, 'd' },
+	{"timeout", 0, NULL, 't' },
 	{NULL, 0, NULL, 0}
 };
 
@@ -218,7 +220,7 @@  static int cifscreds_add(struct cmdarg *arg)
 		*nextaddress++ = '\0';
 
 	while (currentaddress) {
-		key_serial_t key = key_add(currentaddress, arg->user, pass, arg->keytype);
+		key_serial_t key = key_add(currentaddress, arg->user, pass, arg->keytype, arg->timeout);
 		if (key <= 0) {
 			fprintf(stderr, "error: Add credential key for %s: %s\n",
 				currentaddress, strerror(errno));
@@ -253,7 +255,7 @@  static int cifscreds_clear(struct cmdarg *arg)
 	char *currentaddress, *nextaddress;
 	int ret = 0, count = 0, errors = 0;
 
-	if (arg->host == NULL || arg->user == NULL)
+	if (arg->host == NULL || arg->user == NULL || arg->timeout)
 		return usage();
 
 	if (arg->keytype == 'd')
@@ -362,7 +364,7 @@  static int cifscreds_update(struct cmdarg *arg)
 	char *addrs[16];
 	int ret = 0, id, count = 0;
 
-	if (arg->host == NULL || arg->user == NULL)
+	if (arg->host == NULL || arg->user == NULL || arg->timeout)
 		return usage();
 
 	if (arg->keytype == 'd')
@@ -419,7 +421,7 @@  static int cifscreds_update(struct cmdarg *arg)
 	pass = getpass("Password: ");
 
 	for (id = 0; id < count; id++) {
-		key_serial_t key = key_add(addrs[id], arg->user, pass, arg->keytype);
+		key_serial_t key = key_add(addrs[id], arg->user, pass, arg->keytype, 0);
 		if (key <= 0)
 			fprintf(stderr, "error: Update credential key "
 				"for %s: %s\n", addrs[id], strerror(errno));
@@ -474,7 +476,7 @@  int main(int argc, char **argv)
 	if (argc == 1)
 		return usage();
 
-	while((n = getopt_long(argc, argv, "du:", longopts, NULL)) != -1) {
+	while((n = getopt_long(argc, argv, "dut:", longopts, NULL)) != -1) {
 		switch (n) {
 		case 'd':
 			arg.keytype = (char) n;
@@ -482,6 +484,9 @@  int main(int argc, char **argv)
 		case 'u':
 			arg.user = optarg;
 			break;
+		case 't':
+			arg.timeout = atoi(optarg);
+			break;
 		default:
 			return usage();
 		}
diff --git a/cifscreds.rst b/cifscreds.rst
index a6676cb..14f5bda 100644
--- a/cifscreds.rst
+++ b/cifscreds.rst
@@ -68,6 +68,10 @@  OPTIONS
   adding the credentials. This option allows the user to substitute a
   different username.
 
+-t, --timeout
+  Sets the key timeout in seconds. If not set, will use the system default
+  timeout for logon keys.
+
 *****
 NOTES
 *****
diff --git a/cifskey.c b/cifskey.c
index 919540f..4fef02f 100644
--- a/cifskey.c
+++ b/cifskey.c
@@ -40,11 +40,12 @@  key_search(const char *addr, char keytype)
 
 /* add or update a specific key to keyring */
 key_serial_t
-key_add(const char *addr, const char *user, const char *pass, char keytype)
+key_add(const char *addr, const char *user, const char *pass, char keytype, unsigned timeout)
 {
 	int len;
 	char desc[INET6_ADDRSTRLEN + sizeof(KEY_PREFIX) + 4];
 	char val[MOUNT_PASSWD_SIZE +  MAX_USERNAME_SIZE + 2];
+	key_serial_t key;
 
 	/* set key description */
 	if (snprintf(desc, sizeof(desc), "%s:%c:%s", KEY_PREFIX, keytype, addr) >= (int)sizeof(desc)) {
@@ -59,5 +60,12 @@  key_add(const char *addr, const char *user, const char *pass, char keytype)
 		return -1;
 	}
 
-	return add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING);
+	if ((key = add_key(CIFS_KEY_TYPE, desc, val, len + 1, DEST_KEYRING)) < 0) {
+		return -1;
+	}
+
+	if (timeout > 0)
+		keyctl_set_timeout(key, timeout);
+
+	return key;
 }
diff --git a/cifskey.h b/cifskey.h
index ed0c469..0069445 100644
--- a/cifskey.h
+++ b/cifskey.h
@@ -41,7 +41,12 @@ 
 #define CIFS_KEY_PERMS (KEY_POS_VIEW|KEY_POS_WRITE|KEY_POS_SEARCH| \
 			KEY_USR_VIEW|KEY_USR_WRITE|KEY_USR_SEARCH)
 
+/**
+ * Default key timeout is 24 hours
+ */
+#define DEFAULT_KEY_TIMEOUT (24 * 60 * 60)
+
 key_serial_t key_search(const char *addr, char keytype);
-key_serial_t key_add(const char *addr, const char *user, const char *pass, char keytype);
+key_serial_t key_add(const char *addr, const char *user, const char *pass, char keytype, unsigned timeout);
 
 #endif /* _CIFSKEY_H */
diff --git a/pam_cifscreds.c b/pam_cifscreds.c
index eb9851d..2b8c0b6 100644
--- a/pam_cifscreds.c
+++ b/pam_cifscreds.c
@@ -232,7 +232,7 @@  static int cifscreds_pam_add(pam_handle_t *ph, const char *user, const char *pas
 		*nextaddress++ = '\0';
 
 	while (currentaddress) {
-		key_serial_t key = key_add(currentaddress, user, password, keytype);
+		key_serial_t key = key_add(currentaddress, user, password, keytype, DEFAULT_KEY_TIMEOUT);
 		if (key <= 0) {
 			pam_syslog(ph, LOG_ERR, "error: Add credential key for %s: %s",
 				currentaddress, strerror(errno));
@@ -335,7 +335,7 @@  static int cifscreds_pam_update(pam_handle_t *ph, const char *user, const char *
 	}
 
 	for (id = 0; id < count; id++) {
-		key_serial_t key = key_add(currentaddress, user, password, keytype);
+		key_serial_t key = key_add(currentaddress, user, password, keytype, DEFAULT_KEY_TIMEOUT);
 		if (key <= 0) {
 			pam_syslog(ph, LOG_ERR, "error: Update credential key for %s: %s",
 				   (currentaddress ?: "(null)"), strerror(errno));