[PATCH] mount.cifs: Use systemd's mechanism for getting password, if present

[PATCH] mount.cifs: Use systemd's mechanism for getting password, if present

[Ankit Jain]

If the mount requests are "from" cifstab, then just asking for
"Password:" would be unclear, this asks it as:
  "Password for user@.. :"

  I'm not subscribed to the mailing list.

---
mount.cifs: Use systemd's mechanism for getting password, if present.
    
If systemd is running, then use /bin/systemd-ask-password to get
the password instead of get_pass(..) .

Reference: bug: https://bugzilla.novell.com/show_bug.cgi?id=767894

diff --git a/mount.cifs.c b/mount.cifs.c
index 6f3f382..d721de6 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -1687,6 +1687,58 @@ drop_child_privs(void)
 	return 0;
 }
 
+/*
+ * If systemd is present, then try to get password via
+ * /bin/systemd-ask-password, else just use getpass(..)
+ */
+static char*
+get_password(const char *prompt, char *input, int capacity)
+{
+	int is_systemd_running;
+	struct stat a, b;
+
+	/* We simply test whether the systemd cgroup hierarchy is
+	 * mounted */
+	is_systemd_running = (lstat("/sys/fs/cgroup", &a) == 0)
+		&& (lstat("/sys/fs/cgroup/systemd", &b) == 0)
+		&& (a.st_dev != b.st_dev);
+
+	if (is_systemd_running) {
+		/* systemd */
+		char *cmd;
+		FILE *fp = NULL;
+
+		if (asprintf(&cmd, "/bin/systemd-ask-password \"%s\"", prompt) >= 0) {
+			fp = popen (cmd, "re");
+			free (cmd);
+		}
+
+		if (!fp)
+			return NULL;
+
+		if (fgets(input, capacity, fp)) {
+			int len = strlen(input);
+			if (input[len - 1] == '\n')
+				input[len - 1] = '\0';
+		}
+
+		fclose(fp);
+	} else {
+		/* getpass is obsolete, but there's apparently nothing that replaces it */
+		char *tmp_pass = getpass(prompt);
+		if (!tmp_pass)
+			return NULL;
+
+		strncpy(input, tmp_pass, capacity - 1);
+		input[capacity - 1] = '\0';
+
+		/* zero-out the static buffer */
+		memset(tmp_pass, 0, strlen(tmp_pass));
+	}
+
+	return input;
+}
+
 static int
 assemble_mountinfo(struct parsed_mount_info *parsed_info,
 		   const char *thisprogram, const char *mountpoint,
@@ -1768,14 +1820,20 @@ assemble_mountinfo(struct parsed_mount_info *parsed_info,
 	}
 
 	if (!parsed_info->got_password) {
-		/* getpass is obsolete, but there's apparently nothing that replaces it */
-		char *tmp_pass = getpass("Password: ");
-		if (!tmp_pass) {
+		char tmp_pass[MOUNT_PASSWD_SIZE + 1];
+		char *prompt = NULL;
+
+		if(asprintf(&prompt, "Password for %s@%s: ", parsed_info->username, orig_dev) < 0)
+			prompt = NULL;
+
+		if (get_password(prompt ? prompt : "Password: ", tmp_pass, MOUNT_PASSWD_SIZE + 1)) {
+			rc = set_password(parsed_info, tmp_pass);
+		} else {
 			fprintf(stderr, "Error reading password, exiting\n");
 			rc = EX_SYSERR;
-			goto assemble_exit;
 		}
-		rc = set_password(parsed_info, tmp_pass);
+
+		free(prompt);
 		if (rc)
 			goto assemble_exit;
 	}

-- 
Ankit Jain
SUSE Labs

Re: [PATCH] mount.cifs: Use systemd's mechanism for getting password, if present

[Jeff Layton]

On Fri, 22 Jun 2012 15:04:23 +0530
Ankit Jain <jankit-IBi9RG/b67k@public.gmane.org> wrote:

> If the mount requests are "from" cifstab, then just asking for
> "Password:" would be unclear, this asks it as:
>   "Password for user@.. :"
> 
>   I'm not subscribed to the mailing list.
> 
> ---
> mount.cifs: Use systemd's mechanism for getting password, if present.
>     
> If systemd is running, then use /bin/systemd-ask-password to get
> the password instead of get_pass(..) .
> 
> Reference: bug: https://bugzilla.novell.com/show_bug.cgi?id=767894
> 
> diff --git a/mount.cifs.c b/mount.cifs.c
> index 6f3f382..d721de6 100644
> --- a/mount.cifs.c
> +++ b/mount.cifs.c
> @@ -1687,6 +1687,58 @@ drop_child_privs(void)
>  	return 0;
>  }
>  
> +/*
> + * If systemd is present, then try to get password via
> + * /bin/systemd-ask-password, else just use getpass(..)
> + */
> +static char*
> +get_password(const char *prompt, char *input, int capacity)
> +{
> +	int is_systemd_running;
> +	struct stat a, b;
> +
> +	/* We simply test whether the systemd cgroup hierarchy is
> +	 * mounted */
> +	is_systemd_running = (lstat("/sys/fs/cgroup", &a) == 0)
> +		&& (lstat("/sys/fs/cgroup/systemd", &b) == 0)
> +		&& (a.st_dev != b.st_dev);
> +
> +	if (is_systemd_running) {
> +		/* systemd */
> +		char *cmd;
> +		FILE *fp = NULL;
> +
> +		if (asprintf(&cmd, "/bin/systemd-ask-password \"%s\"", prompt) >= 0) {
> +			fp = popen (cmd, "re");
> +			free (cmd);
> +		}
> +
> +		if (!fp)
> +			return NULL;
> +

What if systemd is running but we can't call /bin/systemd-ask-password
for some reason? Like, maybe it doesn't exist? Should this then fall
back to trying to get the password the old-fashioned way?

Hmmm...the manpage for this command also says:

       The purpose of this tool is to query system-wide passwords --
       that is passwords not attached to a specific user account.
       Examples include: unlocking encrypted hard disks when they are
       plugged in or at boot, entering an SSL certificate passphrase
       for web and VPN servers.

...does this really match that use-case? Hypothetically...

Suppose a user mount is set up in /etc/fstab and then the user calls:

    $ mount /mnt/cifs

...or something along those lines. It used to be that he'd get a
password prompr on his terminal if one wasn't in the fstab. Will that
still be the case here? Or will this "broadcast" some sort of password
request all over the machine?

> +		if (fgets(input, capacity, fp)) {
> +			int len = strlen(input);
> +			if (input[len - 1] == '\n')
> +				input[len - 1] = '\0';
> +		}
> +
> +		fclose(fp);
> +	} else {
> +		/* getpass is obsolete, but there's apparently nothing that replaces it */
> +		char *tmp_pass = getpass(prompt);
> +		if (!tmp_pass)
> +			return NULL;
> +
> +		strncpy(input, tmp_pass, capacity - 1);
> +		input[capacity - 1] = '\0';
> +
> +		/* zero-out the static buffer */
> +		memset(tmp_pass, 0, strlen(tmp_pass));
> +	}
> +
> +	return input;
> +}
> +
>  static int
>  assemble_mountinfo(struct parsed_mount_info *parsed_info,
>  		   const char *thisprogram, const char *mountpoint,
> @@ -1768,14 +1820,20 @@ assemble_mountinfo(struct parsed_mount_info *parsed_info,
>  	}
>  
>  	if (!parsed_info->got_password) {
> -		/* getpass is obsolete, but there's apparently nothing that replaces it */
> -		char *tmp_pass = getpass("Password: ");
> -		if (!tmp_pass) {
> +		char tmp_pass[MOUNT_PASSWD_SIZE + 1];
> +		char *prompt = NULL;
> +
> +		if(asprintf(&prompt, "Password for %s@%s: ", parsed_info->username, orig_dev) < 0)
> +			prompt = NULL;
> +
> +		if (get_password(prompt ? prompt : "Password: ", tmp_pass, MOUNT_PASSWD_SIZE + 1)) {
> +			rc = set_password(parsed_info, tmp_pass);
> +		} else {
>  			fprintf(stderr, "Error reading password, exiting\n");
>  			rc = EX_SYSERR;
> -			goto assemble_exit;
>  		}
> -		rc = set_password(parsed_info, tmp_pass);
> +
> +		free(prompt);
>  		if (rc)
>  			goto assemble_exit;
>  	}
> 


-- 
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>

Re: [PATCH] mount.cifs: Use systemd's mechanism for getting password, if present

[Ankit Jain]

On 06/26/2012 12:54 AM, Jeff Layton wrote:
> On Fri, 22 Jun 2012 15:04:23 +0530
> Ankit Jain <jankit-IBi9RG/b67k@public.gmane.org> wrote:
> 
>> If the mount requests are "from" cifstab, then just asking for
>> "Password:" would be unclear, this asks it as:
>>   "Password for user@.. :"
>>
>>   I'm not subscribed to the mailing list.
>>
>> ---
>> mount.cifs: Use systemd's mechanism for getting password, if present.
>>     
>> If systemd is running, then use /bin/systemd-ask-password to get
>> the password instead of get_pass(..) .
>>
>> Reference: bug: https://bugzilla.novell.com/show_bug.cgi?id=767894
>>
>> diff --git a/mount.cifs.c b/mount.cifs.c
>> index 6f3f382..d721de6 100644
>> --- a/mount.cifs.c
>> +++ b/mount.cifs.c
>> @@ -1687,6 +1687,58 @@ drop_child_privs(void)
>>  	return 0;
>>  }
>>  
>> +/*
>> + * If systemd is present, then try to get password via
>> + * /bin/systemd-ask-password, else just use getpass(..)
>> + */
>> +static char*
>> +get_password(const char *prompt, char *input, int capacity)
>> +{
>> +	int is_systemd_running;
>> +	struct stat a, b;
>> +
>> +	/* We simply test whether the systemd cgroup hierarchy is
>> +	 * mounted */
>> +	is_systemd_running = (lstat("/sys/fs/cgroup", &a) == 0)
>> +		&& (lstat("/sys/fs/cgroup/systemd", &b) == 0)
>> +		&& (a.st_dev != b.st_dev);
>> +
>> +	if (is_systemd_running) {
>> +		/* systemd */
>> +		char *cmd;
>> +		FILE *fp = NULL;
>> +
>> +		if (asprintf(&cmd, "/bin/systemd-ask-password \"%s\"", prompt) >= 0) {
>> +			fp = popen (cmd, "re");
>> +			free (cmd);
>> +		}
>> +
>> +		if (!fp)
>> +			return NULL;
>> +
> 
> What if systemd is running but we can't call /bin/systemd-ask-password
> for some reason? Like, maybe it doesn't exist? Should this then fall
> back to trying to get the password the old-fashioned way?

My first draft of this patch, in fact, did a fallback to get_pass(..) in
case that binary wasn't present. But AFAIU, if systemd is present and we
just use get_pass(..), user won't get that prompt and can't really
interactively give the password. This is the current problem infact.
Also, /bin/systemd-ask-password seems to be part of the core systemd
package (on opensuse 12.1 atleast).

> 
> Hmmm...the manpage for this command also says:
> 
>        The purpose of this tool is to query system-wide passwords --
>        that is passwords not attached to a specific user account.
>        Examples include: unlocking encrypted hard disks when they are
>        plugged in or at boot, entering an SSL certificate passphrase
>        for web and VPN servers.
> 
> ...does this really match that use-case? Hypothetically...
> 
> Suppose a user mount is set up in /etc/fstab and then the user calls:
> 
>     $ mount /mnt/cifs
> 
> ...or something along those lines. It used to be that he'd get a
> password prompr on his terminal if one wasn't in the fstab. Will that
> still be the case here? Or will this "broadcast" some sort of password
> request all over the machine?

Yeah, mount.cifs will use /bin/systemd-ask-password, which would
basically cause all the systemd password agents to try and get the
password. One of those is asking for password on that terminal. And one
of the agents does a wall(1) for the request. It would depend on what
that distro installs, i guess.

So, one of the agents *will* indeed ask for password on the same
terminal, so that should mimic (almost) the older behavior. Incase we
don't have this fix, or systemd-ask-password is not present, then the
user will have to specify the password in cifstab or in mount options.

I have tested only on openSUSE 12.1 btw.

Thanks,
-Ankit
> 
>> +		if (fgets(input, capacity, fp)) {
>> +			int len = strlen(input);
>> +			if (input[len - 1] == '\n')
>> +				input[len - 1] = '\0';
>> +		}
>> +
>> +		fclose(fp);
>> +	} else {
>> +		/* getpass is obsolete, but there's apparently nothing that replaces it */
>> +		char *tmp_pass = getpass(prompt);
>> +		if (!tmp_pass)
>> +			return NULL;
>> +
>> +		strncpy(input, tmp_pass, capacity - 1);
>> +		input[capacity - 1] = '\0';
>> +
>> +		/* zero-out the static buffer */
>> +		memset(tmp_pass, 0, strlen(tmp_pass));
>> +	}
>> +
>> +	return input;
>> +}
>> +
>>  static int
>>  assemble_mountinfo(struct parsed_mount_info *parsed_info,
>>  		   const char *thisprogram, const char *mountpoint,
>> @@ -1768,14 +1820,20 @@ assemble_mountinfo(struct parsed_mount_info *parsed_info,
>>  	}
>>  
>>  	if (!parsed_info->got_password) {
>> -		/* getpass is obsolete, but there's apparently nothing that replaces it */
>> -		char *tmp_pass = getpass("Password: ");
>> -		if (!tmp_pass) {
>> +		char tmp_pass[MOUNT_PASSWD_SIZE + 1];
>> +		char *prompt = NULL;
>> +
>> +		if(asprintf(&prompt, "Password for %s@%s: ", parsed_info->username, orig_dev) < 0)
>> +			prompt = NULL;
>> +
>> +		if (get_password(prompt ? prompt : "Password: ", tmp_pass, MOUNT_PASSWD_SIZE + 1)) {
>> +			rc = set_password(parsed_info, tmp_pass);
>> +		} else {
>>  			fprintf(stderr, "Error reading password, exiting\n");
>>  			rc = EX_SYSERR;
>> -			goto assemble_exit;
>>  		}
>> -		rc = set_password(parsed_info, tmp_pass);
>> +
>> +		free(prompt);
>>  		if (rc)
>>  			goto assemble_exit;
>>  	}
>>
> 
> 


-- 
Ankit Jain
SUSE Labs

Re: [PATCH] mount.cifs: Use systemd's mechanism for getting password, if present

[Jeff Layton]

On Tue, 26 Jun 2012 12:34:26 +0530
Ankit Jain <jankit-IBi9RG/b67k@public.gmane.org> wrote:

> On 06/26/2012 12:54 AM, Jeff Layton wrote:
> > On Fri, 22 Jun 2012 15:04:23 +0530
> > Ankit Jain <jankit-IBi9RG/b67k@public.gmane.org> wrote:
> > 
> >> If the mount requests are "from" cifstab, then just asking for
> >> "Password:" would be unclear, this asks it as:
> >>   "Password for user@.. :"
> >>
> >>   I'm not subscribed to the mailing list.
> >>
> >> ---
> >> mount.cifs: Use systemd's mechanism for getting password, if present.
> >>     
> >> If systemd is running, then use /bin/systemd-ask-password to get
> >> the password instead of get_pass(..) .
> >>
> >> Reference: bug: https://bugzilla.novell.com/show_bug.cgi?id=767894
> >>
> >> diff --git a/mount.cifs.c b/mount.cifs.c
> >> index 6f3f382..d721de6 100644
> >> --- a/mount.cifs.c
> >> +++ b/mount.cifs.c
> >> @@ -1687,6 +1687,58 @@ drop_child_privs(void)
> >>  	return 0;
> >>  }
> >>  
> >> +/*
> >> + * If systemd is present, then try to get password via
> >> + * /bin/systemd-ask-password, else just use getpass(..)
> >> + */
> >> +static char*
> >> +get_password(const char *prompt, char *input, int capacity)
> >> +{
> >> +	int is_systemd_running;
> >> +	struct stat a, b;
> >> +
> >> +	/* We simply test whether the systemd cgroup hierarchy is
> >> +	 * mounted */
> >> +	is_systemd_running = (lstat("/sys/fs/cgroup", &a) == 0)
> >> +		&& (lstat("/sys/fs/cgroup/systemd", &b) == 0)
> >> +		&& (a.st_dev != b.st_dev);
> >> +
> >> +	if (is_systemd_running) {
> >> +		/* systemd */
> >> +		char *cmd;
> >> +		FILE *fp = NULL;
> >> +
> >> +		if (asprintf(&cmd, "/bin/systemd-ask-password \"%s\"", prompt) >= 0) {
> >> +			fp = popen (cmd, "re");
> >> +			free (cmd);
> >> +		}
> >> +
> >> +		if (!fp)
> >> +			return NULL;
> >> +
> > 
> > What if systemd is running but we can't call /bin/systemd-ask-password
> > for some reason? Like, maybe it doesn't exist? Should this then fall
> > back to trying to get the password the old-fashioned way?
> 
> My first draft of this patch, in fact, did a fallback to get_pass(..) in
> case that binary wasn't present. But AFAIU, if systemd is present and we
> just use get_pass(..), user won't get that prompt and can't really
> interactively give the password. This is the current problem infact.
> Also, /bin/systemd-ask-password seems to be part of the core systemd
> package (on opensuse 12.1 atleast).
> 

It does, but we do have to concern ourselves with older versions of
systemd that might not, and with distros that might use systemd but not
add the tool (consider embedded distros). I think we'll need a
mechanism to fall back to the legacy password mechanism.

Also, a way to disable this at compile-time would nice. Maybe a
--enable-systemd autoconf option would be good that defaults to "on"
with a simple test to see if the build machine is running systemd?

> > 
> > Hmmm...the manpage for this command also says:
> > 
> >        The purpose of this tool is to query system-wide passwords --
> >        that is passwords not attached to a specific user account.
> >        Examples include: unlocking encrypted hard disks when they are
> >        plugged in or at boot, entering an SSL certificate passphrase
> >        for web and VPN servers.
> > 
> > ...does this really match that use-case? Hypothetically...
> > 
> > Suppose a user mount is set up in /etc/fstab and then the user calls:
> > 
> >     $ mount /mnt/cifs
> > 
> > ...or something along those lines. It used to be that he'd get a
> > password prompr on his terminal if one wasn't in the fstab. Will that
> > still be the case here? Or will this "broadcast" some sort of password
> > request all over the machine?
> 
> Yeah, mount.cifs will use /bin/systemd-ask-password, which would
> basically cause all the systemd password agents to try and get the
> password. One of those is asking for password on that terminal. And one
> of the agents does a wall(1) for the request. It would depend on what
> that distro installs, i guess.
> 
> So, one of the agents *will* indeed ask for password on the same
> terminal, so that should mimic (almost) the older behavior. Incase we
> don't have this fix, or systemd-ask-password is not present, then the
> user will have to specify the password in cifstab or in mount options.
> 
> I have tested only on openSUSE 12.1 btw.
> 

Ok, the manpage also says this:

 When run from a TTY it will query a password on the TTY
 and print it to STDOUT. When run with no TTY or with --no-tty it will
 query the password system-wide and allow active users to respond via
 several agents. The latter is only available to privileged processes.

So that should do the right thing when we kick off a mount from a
shell. autofs might be "interesting" however, but this is probably the
best we can do.

> Thanks,
> -Ankit
> > 
> >> +		if (fgets(input, capacity, fp)) {
> >> +			int len = strlen(input);
> >> +			if (input[len - 1] == '\n')
> >> +				input[len - 1] = '\0';
> >> +		}
> >> +
> >> +		fclose(fp);
> >> +	} else {
> >> +		/* getpass is obsolete, but there's apparently nothing that replaces it */
> >> +		char *tmp_pass = getpass(prompt);
> >> +		if (!tmp_pass)
> >> +			return NULL;
> >> +
> >> +		strncpy(input, tmp_pass, capacity - 1);
> >> +		input[capacity - 1] = '\0';
> >> +
> >> +		/* zero-out the static buffer */
> >> +		memset(tmp_pass, 0, strlen(tmp_pass));
> >> +	}
> >> +
> >> +	return input;
> >> +}
> >> +
> >>  static int
> >>  assemble_mountinfo(struct parsed_mount_info *parsed_info,
> >>  		   const char *thisprogram, const char *mountpoint,
> >> @@ -1768,14 +1820,20 @@ assemble_mountinfo(struct parsed_mount_info *parsed_info,
> >>  	}
> >>  
> >>  	if (!parsed_info->got_password) {
> >> -		/* getpass is obsolete, but there's apparently nothing that replaces it */
> >> -		char *tmp_pass = getpass("Password: ");
> >> -		if (!tmp_pass) {
> >> +		char tmp_pass[MOUNT_PASSWD_SIZE + 1];
> >> +		char *prompt = NULL;
> >> +
> >> +		if(asprintf(&prompt, "Password for %s@%s: ", parsed_info->username, orig_dev) < 0)
> >> +			prompt = NULL;
> >> +
> >> +		if (get_password(prompt ? prompt : "Password: ", tmp_pass, MOUNT_PASSWD_SIZE + 1)) {
> >> +			rc = set_password(parsed_info, tmp_pass);
> >> +		} else {
> >>  			fprintf(stderr, "Error reading password, exiting\n");
> >>  			rc = EX_SYSERR;
> >> -			goto assemble_exit;
> >>  		}
> >> -		rc = set_password(parsed_info, tmp_pass);
> >> +
> >> +		free(prompt);
> >>  		if (rc)
> >>  			goto assemble_exit;
> >>  	}
> >>
> > 
> > 
> 
> 


-- 
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>

Re: [PATCH] mount.cifs: Use systemd's mechanism for getting password, if present

[Ankit Jain]

[-- Attachment #1: Type: text/plain, Size: 1289 bytes --]

Hi Jeff,

On 06/26/2012 04:58 PM, Jeff Layton wrote:
[snip]
> It does, but we do have to concern ourselves with older versions of
> systemd that might not, and with distros that might use systemd but not
> add the tool (consider embedded distros). I think we'll need a
> mechanism to fall back to the legacy password mechanism.

I'm guessing that by "legacy" you mean get_pass(..)? But on a regular
systemd install, it takes over stdin/stdout, and the prompt won't come
up on a terminal. But I don't know how it is set up on the other
scenarios you mentioned. So, I'll do that but you will have to test it
;) I tried using /dev/tty, but in/out are redirected AFAIU, so, this
didn't help.

> Also, a way to disable this at compile-time would nice. Maybe a
> --enable-systemd autoconf option would be good that defaults to "on"
> with a simple test to see if the build machine is running systemd?

Sure, autoconf option sounds good. But do we want to check for systemd
running on the *build* machine (and choose default value for
--enable-systemd accordingly)? Systemd running or not sounds like a
runtime behavior, and we fall back to getpass anyway. I haven't added
this in the attached patch, but if you feel that this makes sense, then
I can add it.

Regards,
-- 
Ankit Jain
SUSE Labs



[-- Attachment #2: cifs-utils-systemd.patch --]
[-- Type: text/x-patch, Size: 3806 bytes --]

commit f96147bd08bcfb03e25b040741f4b2185fef0233
Author: Ankit Jain <jankit-l3A5Bk7waGM@public.gmane.org>
Date:   Tue Jul 17 19:21:10 2012 +0530

    mount.cifs: Use systemd's mechanism for getting password, if present.
    
    If systemd is running and /bin/systemd-ask-password if available,
    then use that else fallback on getpass(..).
    
    And add a --enable-systemd configure option, which defaults to yes.

diff --git a/configure.ac b/configure.ac
index 0dd1155..2fea122 100644
--- a/configure.ac
+++ b/configure.ac
@@ -34,6 +34,12 @@ AC_ARG_ENABLE(cifsacl,
 	enable_cifsacl=$enableval,
 	enable_cifsacl="maybe")
 
+AC_ARG_ENABLE(systemd,
+	[AC_HELP_STRING([--enable-systemd],
+			[Enable systemd specific behavior for mount.cifs @<:@default=yes@:>@])],
+	enable_systemd=$enableval,
+	enable_systemd="maybe")
+
 # check for ROOTSBINDIR environment var
 if test -z $ROOTSBINDIR; then
 	ROOTSBINDIR="/sbin"
@@ -178,6 +184,10 @@ if test $enable_cifsupcall != "no"; then
 	AC_CHECK_FUNCS([krb5_auth_con_setaddrs krb5_auth_con_set_req_cksumtype])
 fi
 
+if test $enable_systemd != "no"; then
+	AC_DEFINE(ENABLE_SYSTEMD, 1, [Enable systemd specific behavior for mount.cifs])
+fi
+
 # MIT krb5 < 1.7 does not have this declaration but does have the symbol
 AC_CHECK_DECLS(krb5_auth_con_set_req_cksumtype, [], [], [#include <krb5.h>])
 
diff --git a/mount.cifs.c b/mount.cifs.c
index 6f3f382..a15ba9e 100644
--- a/mount.cifs.c
+++ b/mount.cifs.c
@@ -1687,6 +1687,66 @@ drop_child_privs(void)
 	return 0;
 }
 
+/*
+ * If systemd is running and /bin/systemd-ask-password --
+ * is available, then use that else fallback on getpass(..)
+ *
+ * Returns: @input or NULL on error
+ */
+static char*
+get_password(const char *prompt, char *input, int capacity)
+{
+#ifdef ENABLE_SYSTEMD
+	int is_systemd_running;
+	struct stat a, b;
+
+	/* We simply test whether the systemd cgroup hierarchy is
+	 * mounted */
+	is_systemd_running = (lstat("/sys/fs/cgroup", &a) == 0)
+		&& (lstat("/sys/fs/cgroup/systemd", &b) == 0)
+		&& (a.st_dev != b.st_dev);
+
+	if (is_systemd_running) {
+		char *cmd, *ret;
+		FILE *ask_pass_fp = NULL;
+
+		cmd = ret = NULL;
+		if (asprintf(&cmd, "/bin/systemd-ask-password \"%s\"", prompt) >= 0) {
+			ask_pass_fp = popen (cmd, "re");
+			free (cmd);
+		}
+
+		if (ask_pass_fp) {
+			ret = fgets(input, capacity, ask_pass_fp);
+			pclose(ask_pass_fp);
+		}
+
+		if (ret) {
+			int len = strlen(input);
+			if (input[len - 1] == '\n')
+				input[len - 1] = '\0';
+			return input;
+		}
+	}
+#endif
+
+	/*
+	 * Falling back to getpass(..)
+	 * getpass is obsolete, but there's apparently nothing that replaces it
+	 */
+	char *tmp_pass = getpass(prompt);
+	if (!tmp_pass)
+		return NULL;
+
+	strncpy(input, tmp_pass, capacity - 1);
+	input[capacity - 1] = '\0';
+
+	/* zero-out the static buffer */
+	memset(tmp_pass, 0, strlen(tmp_pass));
+
+	return input;
+}
+
 static int
 assemble_mountinfo(struct parsed_mount_info *parsed_info,
 		   const char *thisprogram, const char *mountpoint,
@@ -1768,14 +1828,20 @@ assemble_mountinfo(struct parsed_mount_info *parsed_info,
 	}
 
 	if (!parsed_info->got_password) {
-		/* getpass is obsolete, but there's apparently nothing that replaces it */
-		char *tmp_pass = getpass("Password: ");
-		if (!tmp_pass) {
+		char tmp_pass[MOUNT_PASSWD_SIZE + 1];
+		char *prompt = NULL;
+
+		if(asprintf(&prompt, "Password for %s@%s: ", parsed_info->username, orig_dev) < 0)
+			prompt = NULL;
+
+		if (get_password(prompt ? prompt : "Password: ", tmp_pass, MOUNT_PASSWD_SIZE + 1)) {
+			rc = set_password(parsed_info, tmp_pass);
+		} else {
 			fprintf(stderr, "Error reading password, exiting\n");
 			rc = EX_SYSERR;
-			goto assemble_exit;
 		}
-		rc = set_password(parsed_info, tmp_pass);
+
+		free(prompt);
 		if (rc)
 			goto assemble_exit;
 	}

Re: [PATCH] mount.cifs: Use systemd's mechanism for getting password, if present

[Jeff Layton]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 17 Jul 2012 19:28:09 +0530
Ankit Jain <jankit@suse.com> wrote:

> Hi Jeff,
> 
> On 06/26/2012 04:58 PM, Jeff Layton wrote:
> [snip]
> > It does, but we do have to concern ourselves with older versions of
> > systemd that might not, and with distros that might use systemd but not
> > add the tool (consider embedded distros). I think we'll need a
> > mechanism to fall back to the legacy password mechanism.
> 
> I'm guessing that by "legacy" you mean get_pass(..)? But on a regular
> systemd install, it takes over stdin/stdout, and the prompt won't come
> up on a terminal. But I don't know how it is set up on the other
> scenarios you mentioned. So, I'll do that but you will have to test it
> ;) I tried using /dev/tty, but in/out are redirected AFAIU, so, this
> didn't help.
> 

Well...that's the case at boot time, when you're mounting from (for
instance) fstab. What about when when someone issues mount "manually"
from a terminal? If systemd-ask-password isn't present at that point or
wouldn't run for some reason then you were sort of screwed with the
earlier patch.

> > Also, a way to disable this at compile-time would nice. Maybe a
> > --enable-systemd autoconf option would be good that defaults to "on"
> > with a simple test to see if the build machine is running systemd?
> 
> Sure, autoconf option sounds good. But do we want to check for systemd
> running on the *build* machine (and choose default value for
> --enable-systemd accordingly)? Systemd running or not sounds like a
> runtime behavior, and we fall back to getpass anyway. I haven't added
> this in the attached patch, but if you feel that this makes sense, then
> I can add it.
> 

Fair enough. If you're falling back to getpass anyway, then a simple
autoconf switch to disable systemd support should be fine.

Patch looks good to me. I'll plan to merge it in the next day or two
unless there are objections.

Thanks!
- -- 
Jeff Layton <jlayton@samba.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)

iQIcBAEBAgAGBQJQBpPMAAoJEAAOaEEZVoIVqz8P/1+gaAvykTUhnh0qPl+SDp5X
T7OqcUzY+kUSu+vQ4hqjRpLfoWRVkuP0ErKiAUsqthHGPMCsdsBluBrPO8SrEB2b
AJWwHLx28fZxFSQEbDRO4U3dnwDp7mJDmjywUn/mTwRbq2/GXpgI9j+FEOhe5rwc
FTYoggEGaymrtyDy0SsGva77N3kfaSqynNX376zTxgCnBCgvYiWbALvQnKwM0fam
74U1BKVNh7JjhSoqru6fTpNq+XphNLlXVICVt7OJOqUoGEB1hIGV0bxvy/sg2RDH
i3y/xi9JQCVkz1aonqVgTAkJSD5cxTW8/DtQ8b/kPCWOrxEQlrmHQpzYiR8EsyNv
zJMZDfUFMr1j7b6aU2Umbujvl+FQmfBS3Ey+UklZzNHhVXULzRy8EQhNEy4BqSS1
g5WRHYB6kdKo1NKnT2fKBVagLQLMFxjAqjUUHCFhDvegeMoHUCOGrcjdW/0c6p31
XnmBap5DKingv+L7Bdmanp9g00jOy5QPF8kApOmIrm09HYl1k/24aRhK0YsbN6fr
v/jrYkZeruHdWpe/jMP3szcYcIzBkazDQMSgqq89JhXhUBkO1GR5N1qcWexw/eem
MRjGoSE4FWqAwnaIMohBaia89B2sw+QrAjaYivIrCaIBxc71Ui2OfCU6w99zhD78
YqaNhRuCwNdIy6bHkDjX
=tJ4F
-----END PGP SIGNATURE-----

Re: [PATCH] mount.cifs: Use systemd's mechanism for getting password, if present

[Jeff Layton]

On Tue, 17 Jul 2012 19:28:09 +0530
Ankit Jain <jankit-IBi9RG/b67k@public.gmane.org> wrote:

> Hi Jeff,
> 
> On 06/26/2012 04:58 PM, Jeff Layton wrote:
> [snip]
> > It does, but we do have to concern ourselves with older versions of
> > systemd that might not, and with distros that might use systemd but not
> > add the tool (consider embedded distros). I think we'll need a
> > mechanism to fall back to the legacy password mechanism.
> 
> I'm guessing that by "legacy" you mean get_pass(..)? But on a regular
> systemd install, it takes over stdin/stdout, and the prompt won't come
> up on a terminal. But I don't know how it is set up on the other
> scenarios you mentioned. So, I'll do that but you will have to test it
> ;) I tried using /dev/tty, but in/out are redirected AFAIU, so, this
> didn't help.
> 
> > Also, a way to disable this at compile-time would nice. Maybe a
> > --enable-systemd autoconf option would be good that defaults to "on"
> > with a simple test to see if the build machine is running systemd?
> 
> Sure, autoconf option sounds good. But do we want to check for systemd
> running on the *build* machine (and choose default value for
> --enable-systemd accordingly)? Systemd running or not sounds like a
> runtime behavior, and we fall back to getpass anyway. I haven't added
> this in the attached patch, but if you feel that this makes sense, then
> I can add it.
> 
> Regards,

Merged...

-- 
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>