11618 Use exec_attr instead of suid for smbfs mount and unmount

Reviewed by: Jason King <jason.king@joyent.com>
Reviewed by: Joshua M. Clulow <josh@sysmgr.org>
Approved by: Garrett D'Amore <garrett@damore.org>

10 files changed, 98 insertions, 47 deletions

diff --git a/usr/src/cmd/fs.d/mount.c b/usr/src/cmd/fs.d/mount.c
index 3fdb498f2c..8c8d7034fe 100644
--- a/usr/src/cmd/fs.d/mount.c
+++ b/usr/src/cmd/fs.d/mount.c
@@ -18,11 +18,6 @@
  *
  * CDDL HEADER END
  */
-
-/*
- * Copyright 2015 Nexenta Systems, Inc.  All rights reserved.
- */
-
 /*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
 /*	  All Rights Reserved	*/
 
@@ -30,6 +25,8 @@
 /*
  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
+ *
+ * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
  */
 
 #include	<stdio.h>
@@ -55,6 +52,7 @@
 #include	<stropts.h>
 #include	<sys/conf.h>
 #include	<locale.h>
+#include	<priv.h>
 #include	"fslib.h"
 
 #define	VFS_PATH	"/usr/lib/fs"
@@ -822,6 +820,17 @@ doexec(char *fstype, char *newargv[])
 	}
 
 	/*
+	 * Some file system types need pfexec.
+	 */
+	if (strcmp(fstype, "smbfs") == 0 &&
+	    setpflags(PRIV_PFEXEC, 1) != 0) {
+		(void) fprintf(stderr,
+		    gettext("mount: unable to set PFEXEC flag: %s\n"),
+		    strerror(errno));
+		exit(1);
+	}
+
+	/*
 	 * Try to exec the fstype dependent portion of the mount.
 	 * See if the directory is there before trying to exec dependent
 	 * portion.  This is only useful for eliminating the
diff --git a/usr/src/cmd/fs.d/smbclnt/mount/Makefile b/usr/src/cmd/fs.d/smbclnt/mount/Makefile
index 20435bcf08..0820b4f618 100644
--- a/usr/src/cmd/fs.d/smbclnt/mount/Makefile
+++ b/usr/src/cmd/fs.d/smbclnt/mount/Makefile
@@ -22,6 +22,8 @@
 # Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
+# Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
+#
 
 #
 # cmd/fs.d/smbclnt/mount/Makefile
@@ -38,7 +40,7 @@ SRCS=	$(LIBPROG).c
 POFILE=	$(LIBPROG).po
 CLOBBERFILES	+= $(LIBPROG)
 
-$(ROOTLIBFSTYPE)/mount := FILEMODE= 04555
+$(ROOTLIBFSTYPE)/mount := FILEMODE= 0555
 
 CFLAGS += $(CCVERBOSE)
 CERRWARN += -_gcc=-Wno-parentheses
diff --git a/usr/src/cmd/fs.d/smbclnt/mount/mount.c b/usr/src/cmd/fs.d/smbclnt/mount/mount.c
index d8a5a9853e..fbb71373ae 100644
--- a/usr/src/cmd/fs.d/smbclnt/mount/mount.c
+++ b/usr/src/cmd/fs.d/smbclnt/mount/mount.c
@@ -36,7 +36,7 @@
  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
  *
- * Copyright 2012 Nexenta Systems, Inc.  All rights reserved.
+ * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
  */
 
 #include <stdio.h>
@@ -80,9 +80,9 @@ const char * const optlist[] = {
 	MNTOPT_RO,
 #define	OPT_RW		1
 	MNTOPT_RW,
-#define	OPT_SUID 	2
+#define	OPT_SUID	2
 	MNTOPT_SUID,
-#define	OPT_NOSUID 	3
+#define	OPT_NOSUID	3
 	MNTOPT_NOSUID,
 #define	OPT_DEVICES	4
 	MNTOPT_DEVICES,
@@ -182,16 +182,25 @@ main(int argc, char *argv[])
 	/*
 	 * Normal users are allowed to run "mount -F smbfs ..."
 	 * to mount on a directory they own.  To allow that, this
-	 * program is installed setuid root, and it adds SYS_MOUNT
-	 * privilege here (if needed), and then restores the user's
-	 * normal privileges.  When root runs this, it's a no-op.
+	 * program has an exec_attr that adds SYS_MOUNT priv.
+	 *
+	 * The __init_suid_priv call was designed for SUID programs,
+	 * but also works for privileges granted via exec_attr with
+	 * one difference: the added privileges are already effective
+	 * when the program starts, and remain effective after the call.
+	 * To make this work more like the SUID case we'll turn off the
+	 * additional privileges with a __priv_bracket() call here.
+	 * Later calls to __priv_bracket() make the extra privileges
+	 * effective only when we need them.
 	 */
 	if (__init_suid_priv(0, PRIV_SYS_MOUNT, (char *)NULL) < 0) {
 		(void) fprintf(stderr,
 		    gettext("Insufficient privileges, "
-		    "%s must be set-uid root\n"), argv[0]);
+		    "%s should have sys_mount privilege via exec_attr\n"),
+		    argv[0]);
 		exit(RET_ERR);
 	}
+	(void) __priv_bracket(PRIV_OFF);
 
 	if (argc == 2) {
 		if (strcmp(argv[1], "-h") == 0) {
diff --git a/usr/src/cmd/fs.d/smbclnt/svc/Makefile b/usr/src/cmd/fs.d/smbclnt/svc/Makefile
index 4a63cc9793..856e6f5b8e 100644
--- a/usr/src/cmd/fs.d/smbclnt/svc/Makefile
+++ b/usr/src/cmd/fs.d/smbclnt/svc/Makefile
@@ -22,7 +22,7 @@
 # Copyright 2008 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
-# ident	"%Z%%M%	%I%	%E% SMI"
+# Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
 #
 
 MANIFEST=	client.xml
@@ -30,11 +30,20 @@ SVCMETHOD=	smb-client
 
 include $(SRC)/cmd/Makefile.cmd
 
+ETCSECURITYFILES =	exec_attr.d/SUNWsmbfs
+ROOTETCSECURITY =	$(ROOT)/etc/security
+$(ROOTETCSECURITY) :=   DIRMODE = 0755
+ROOTETCSECURITYFILES =  $(ETCSECURITYFILES:%=$(ROOTETCSECURITY)/%)
+$(ROOTETCSECURITYFILES) := FILEMODE = 0644
+
 ROOTMANIFESTDIR=	$(ROOTSVCNETWORKSMB)
 
 all lint:
 
-install:	$(ROOTMANIFEST) $(ROOTSVCMETHOD)
+install:	$(ROOTMANIFEST) $(ROOTSVCMETHOD) $(ROOTETCSECURITYFILES)
+
+$(ROOTETCSECURITY)/exec_attr.d/%:%
+	$(INS.file)
 
 clean:
 
diff --git a/usr/src/cmd/fs.d/smbclnt/svc/SUNWsmbfs b/usr/src/cmd/fs.d/smbclnt/svc/SUNWsmbfs
new file mode 100644
index 0000000000..6f673c2fcb
--- /dev/null
+++ b/usr/src/cmd/fs.d/smbclnt/svc/SUNWsmbfs
@@ -0,0 +1,2 @@
+Basic Solaris User:solaris:cmd:::/usr/lib/fs/smbfs/mount:privs=sys_mount
+Basic Solaris User:solaris:cmd:::/usr/lib/fs/smbfs/umount:privs=sys_mount
diff --git a/usr/src/cmd/fs.d/smbclnt/umount/Makefile b/usr/src/cmd/fs.d/smbclnt/umount/Makefile
index 09a11ce9fb..620384780e 100644
--- a/usr/src/cmd/fs.d/smbclnt/umount/Makefile
+++ b/usr/src/cmd/fs.d/smbclnt/umount/Makefile
@@ -22,6 +22,8 @@
 # Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
 # Use is subject to license terms.
 #
+# Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
+#
 
 #
 # cmd/fs.d/smbclnt/umount/Makefile
@@ -37,7 +39,7 @@ COMMON=		$(FSLIB)
 OBJS=		$(LIBPROG).o $(COMMON)
 SRCS=		$(LIBPROG).c $(FSLIBSRC)
 
-$(ROOTLIBFSTYPE)/umount := FILEMODE= 04555
+$(ROOTLIBFSTYPE)/umount := FILEMODE= 0555
 
 CPPFLAGS += -I../.. -I../lib
 CFLAGS += $(CCVERBOSE)
@@ -61,5 +63,5 @@ $(LIBPROG):	$(OBJS)
 
 lint:	lint_SRCS
 
-clean:     
+clean:
 	$(RM) $(LIBPROG).o
diff --git a/usr/src/cmd/fs.d/smbclnt/umount/umount.c b/usr/src/cmd/fs.d/smbclnt/umount/umount.c
index 412557e567..a4e14b75f2 100644
--- a/usr/src/cmd/fs.d/smbclnt/umount/umount.c
+++ b/usr/src/cmd/fs.d/smbclnt/umount/umount.c
@@ -25,6 +25,7 @@
 
 /*
  * Copyright (c) 2018, Joyent, Inc.
+ * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
  */
 
 /*
@@ -55,9 +56,6 @@ static void usage();
 static int smbfs_unmount(char *, int);
 static struct extmnttab *mnttab_find();
 
-static char *myname;
-static char typename[64];
-
 int
 main(int argc, char *argv[])
 {
@@ -74,21 +72,26 @@ main(int argc, char *argv[])
 
 	/*
 	 * Normal users are allowed to umount smbfs mounts they own.
-	 * To allow that, this program is installed setuid root, and
-	 * it adds SYS_MOUNT privilege here (if needed), and then
-	 * restores the user's normal privileges.
+	 * To allow that, this program has an exec_attr that adds
+	 * SYS_MOUNT privilege.
+	 *
+	 * The __init_suid_priv call was designed for SUID programs,
+	 * but also works for privileges granted via exec_attr with
+	 * one difference: the added privileges are already effective
+	 * when the program starts, and remain effective after the call.
+	 * To make this work more like the SUID case we'll turn off the
+	 * additional privileges with a __priv_bracket() call here.
+	 * Later calls to __priv_bracket() make the extra privileges
+	 * effective only when we need them.
 	 */
 	if (__init_suid_priv(0, PRIV_SYS_MOUNT, (char *)NULL) < 0) {
 		(void) fprintf(stderr,
 		    gettext("Insufficient privileges, "
-		    "%s must be set-uid root\n"), argv[0]);
+		    "%s should have sys_mount privilege via exec_attr\n"),
+		    argv[0]);
 		exit(RET_ERR);
 	}
-
-	myname = strrchr(argv[0], '/');
-	myname = myname ? myname+1 : argv[0];
-	(void) sprintf(typename, "smbfs %s", myname);
-	argv[0] = typename;
+	(void) __priv_bracket(PRIV_OFF);
 
 	/*
 	 * Set options
@@ -117,7 +120,7 @@ pr_err(const char *fmt, ...)
 	va_list ap;
 
 	va_start(ap, fmt);
-	(void) fprintf(stderr, "%s: ", typename);
+	(void) fprintf(stderr, "smbfs/umount: ");
 	(void) vfprintf(stderr, fmt, ap);
 	(void) fflush(stderr);
 	va_end(ap);
@@ -162,8 +165,7 @@ smbfs_unmount(char *pathname, int umnt_flag)
  *  Return the last entry in the file that matches.
  */
 static struct extmnttab *
-mnttab_find(dirname)
-	char *dirname;
+mnttab_find(char *dirname)
 {
 	FILE *fp;
 	struct extmnttab mnt;
diff --git a/usr/src/cmd/fs.d/umount.c b/usr/src/cmd/fs.d/umount.c
index a50665c9a0..e892d60728 100644
--- a/usr/src/cmd/fs.d/umount.c
+++ b/usr/src/cmd/fs.d/umount.c
@@ -21,11 +21,12 @@
 /*
  * Copyright 2010 Sun Microsystems, Inc.  All rights reserved.
  * Use is subject to license terms.
- * Copyright 2015 Nexenta Systems, Inc. All rights reserved.
+ *
+ * Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
  */
 
 /*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
-/*	  All Rights Reserved  	*/
+/*	  All Rights Reserved	*/
 
 
 #include	<stdio.h>
@@ -47,6 +48,7 @@
 #include	<sys/mntent.h>
 #include	<sys/ctfs.h>
 #include	<locale.h>
+#include	<priv.h>
 #include	<stdarg.h>
 #include	<sys/mount.h>
 #include	<sys/objfs.h>
@@ -138,15 +140,15 @@ static void	cleanup(int);
 
 static mountent_t	**make_mntarray(char **, int);
 static mountent_t	*getmntall();
-static mountent_t 	*new_mountent(struct mnttab *);
+static mountent_t	*new_mountent(struct mnttab *);
 static mountent_t	*getmntlast(mountent_t *, char *, char *);
 
 int
 main(int argc, char **argv)
 {
-	int 	cc;
+	int	cc;
 	struct mnttab  mget;
-	char 	*mname, *is_special;
+	char	*mname, *is_special;
 	int	fscnt;
 	mountent_t	*mp;
 
@@ -329,7 +331,7 @@ main(int argc, char **argv)
 void
 doexec(struct mnttab *ment)
 {
-	int 	ret;
+	int	ret;
 
 #ifdef DEBUG
 	if (dflg)
@@ -342,7 +344,7 @@ doexec(struct mnttab *ment)
 		char	full_path[FULLPATH_MAX];
 		char	alter_path[FULLPATH_MAX];
 		char	*newargv[ARGV_MAX];
-		int 	ii;
+		int	ii;
 
 		if (strlen(ment->mnt_fstype) > (size_t)FSTYPE_MAX) {
 			fprintf(stderr, gettext(
@@ -388,6 +390,17 @@ doexec(struct mnttab *ment)
 			exit(0);
 		}
 
+		/*
+		 * Some file system types need pfexec.
+		 */
+		if (strcmp(ment->mnt_fstype, "smbfs") == 0 &&
+		    setpflags(PRIV_PFEXEC, 1) != 0) {
+			(void) fprintf(stderr,
+			    gettext("umount: unable to set PFEXEC flag: %s\n"),
+			    strerror(errno));
+			/* Keep going as best we can */
+		}
+
 		/* Try to exec the fstype dependent umount. */
 		execv(full_path, &newargv[1]);
 		if (errno == ENOEXEC) {
@@ -559,8 +572,8 @@ getmntlast(mountent_t *mlist, char *specp, char *mntp)
 int
 parumount(char **mntlist, int count)
 {
-	int 		maxfd = OPEN_MAX;
-	struct rlimit 	rl;
+	int		maxfd = OPEN_MAX;
+	struct rlimit	rl;
 	mountent_t	**mntarray, **ml, *mp;
 
 	/*
@@ -648,8 +661,8 @@ parumount(char **mntlist, int count)
 mountent_t **
 make_mntarray(char **mntlist, int count)
 {
-	mountent_t 	*mp, **mpp;
-	int 		ndx;
+	mountent_t	*mp, **mpp;
+	int		ndx;
 	char		*cp;
 
 	if (count > 0)
@@ -867,7 +880,7 @@ int
 dowait(void)
 {
 	int		wstat, child, ret;
-	mountent_t 	*mp, *prevp;
+	mountent_t	*mp, *prevp;
 
 	if ((child = wait(&wstat)) == -1)
 		return (-1);
diff --git a/usr/src/pkg/manifests/system-file-system-smb.mf b/usr/src/pkg/manifests/system-file-system-smb.mf
index b5ff30e5ad..a5af1de4d3 100644
--- a/usr/src/pkg/manifests/system-file-system-smb.mf
+++ b/usr/src/pkg/manifests/system-file-system-smb.mf
@@ -21,7 +21,7 @@
 
 #
 # Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved.
-# Copyright 2012 Nexenta Systems, Inc. All rights reserved.
+# Copyright 2019 Nexenta by DDN, Inc. All rights reserved.
 #
 
 set name=pkg.fmri value=pkg:/system/file-system/smb@$(PKGVERS)
@@ -63,6 +63,8 @@ dir path=usr/share/man/man4
 dir path=usr/share/man/man5
 dir path=usr/share/man/man7fs
 driver name=nsmb perms="* 0666 root sys"
+file path=etc/security/exec_attr.d/SUNWsmbfs mode=0644 \
+    restart_fmri=svc:/system/rbac:default
 file path=lib/svc/manifest/network/smb/client.xml group=sys mode=0444
 file path=lib/svc/method/smb-client mode=0555
 file path=usr/bin/smbutil mode=0555
@@ -75,9 +77,9 @@ file path=usr/lib/$(ARCH64)/libsmbfs.so.1
 file path=usr/lib/fs/smbfs/$(ARCH64)/libshare_smbfs.so.1
 file path=usr/lib/fs/smbfs/dfshares mode=0555
 file path=usr/lib/fs/smbfs/libshare_smbfs.so.1
-file path=usr/lib/fs/smbfs/mount mode=4555
+file path=usr/lib/fs/smbfs/mount mode=0555
 file path=usr/lib/fs/smbfs/share mode=0555
-file path=usr/lib/fs/smbfs/umount mode=4555
+file path=usr/lib/fs/smbfs/umount mode=0555
 file path=usr/lib/fs/smbfs/unshare mode=0555
 file path=usr/lib/libmlrpc.so.2
 file path=usr/lib/libsmbfs.so.1
diff --git a/usr/src/tools/quick/make-smbclnt b/usr/src/tools/quick/make-smbclnt
index e8c6bfeabc..1c5b1fb6ff 100755
--- a/usr/src/tools/quick/make-smbclnt
+++ b/usr/src/tools/quick/make-smbclnt
@@ -239,6 +239,7 @@ do_tags() {
 do_tar() {
 	git_rev=`git rev-parse --short=8 HEAD`
 	files="
+etc/security/exec_attr.d/SUNWsmbfs
 lib/svc/manifest/network/smb/client.xml
 lib/svc/method/smb-client
 usr/bin/smbutil