From patchwork Fri Nov 23 23:36:45 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 1797371 Return-Path: X-Original-To: patchwork-cifs-client@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork2.kernel.org (Postfix) with ESMTP id 6B2E9DF254 for ; Fri, 23 Nov 2012 23:36:47 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932238Ab2KWXgq (ORCPT ); Fri, 23 Nov 2012 18:36:46 -0500 Received: from mail-qa0-f46.google.com ([209.85.216.46]:42727 "EHLO mail-qa0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932231Ab2KWXgq (ORCPT ); Fri, 23 Nov 2012 18:36:46 -0500 Received: by mail-qa0-f46.google.com with SMTP id c11so1651092qad.19 for ; Fri, 23 Nov 2012 15:36:45 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=mi0RaP+AtYshUYBHX71vXxv499YbG9YEaviNjwF6JOI=; b=wMtNkxZcbK82n/dv9n4M1md0pycGM3C+1dWU34V28mCFQ0pBM917j5u1NWzh6Krjej TWKBGTGLB0TWWSsBngiTI+RxEYkDVPFzsMLhXMK7QgpwHxZ8IBJQ6mure7QMD/bussz2 7ei9inxQuPM0oBrjLpWsHW0qboRhkSh/JN+hKlUstpUFNUCX5qdCLBMGA13FD8BDysIb WhDiizM3qjJ+DwECbMnJMy9CLfxHaJJ6b/TjWGVXx5kELcUiDA9vQ7zmrN4adfzscFqY A6PGBIgN8CPn8C6kiwcQzPGjMn9X4E9jOG26a2+txUYGATRGdWrcuBZ8bIVnI6KcMg7J KqEA== MIME-Version: 1.0 Received: by 10.49.117.137 with SMTP id ke9mr6172652qeb.5.1353713805434; Fri, 23 Nov 2012 15:36:45 -0800 (PST) Received: by 10.49.73.170 with HTTP; Fri, 23 Nov 2012 15:36:45 -0800 (PST) Date: Fri, 23 Nov 2012 17:36:45 -0600 Message-ID: Subject: Upgrading security default From: Steve French To: linux-cifs@vger.kernel.org Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org This patch to upgrade the default security mechanism to ntlmv2/ntlmssp (which is broadly supported for years now, and a reasonable minimum, far better than ntlm) is overdue, but I had to rework it to simplify it. char *string = NULL; @@ -1763,6 +1764,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname, if (cifs_parse_security_flavors(string, vol) != 0) goto cifs_parse_mount_err; + sec_explicitly_set = true; break; case Opt_cache: string = match_strdup(args); @@ -1799,6 +1801,8 @@ cifs_parse_mount_options(const char *mountdata, const char *devname, goto cifs_parse_mount_err; } #endif + if (sec_explicitly_set == false) + vol->secFlg |= CIFSSEC_MAY_NTLMSSP; if (vol->UNCip == NULL) vol->UNCip = &vol->UNC[2]; @@ -2397,8 +2401,6 @@ cifs_set_cifscreds(struct smb_vol *vol __attribute__((unused)), } #endif /* CONFIG_KEYS */ -static bool warned_on_ntlm; /* globals init to false automatically */ - static struct cifs_ses * cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info) { @@ -2475,14 +2477,6 @@ cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info) ses->cred_uid = volume_info->cred_uid; ses->linux_uid = volume_info->linux_uid; - /* ntlmv2 is much stronger than ntlm security, and has been broadly - supported for many years, time to update default security mechanism */ - if ((volume_info->secFlg == 0) && warned_on_ntlm == false) { - warned_on_ntlm = true; - cERROR(1, "default security mechanism requested. The default " - "security mechanism will be upgraded from ntlm to " - "ntlmv2 in kernel release 3.3"); - } ses->overrideSecFlg = volume_info->secFlg; mutex_lock(&ses->session_mutex); diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 5c670b9..3bca289 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -1103,6 +1103,7 @@ cifs_parse_mount_options(const char *mountdata, const char *devname, bool uid_specified = false; bool gid_specified = false; bool sloppy = false; + bool sec_explicitly_set = false; char *invalid = NULL; char *nodename = utsname()->nodename;