From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Shyam Prasad N <sprasad@microsoft.com>,
Steve French <stfrench@microsoft.com>
Subject: [PATCH 6.1 44/96] cifs: fix setting SecurityFlags to true
Date: Tue, 16 Jul 2024 17:31:55 +0200 [thread overview]
Message-ID: <20240716152748.202145545@linuxfoundation.org> (raw)
In-Reply-To: <20240716152746.516194097@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steve French <stfrench@microsoft.com>
commit d2346e2836318a227057ed41061114cbebee5d2a upstream.
If you try to set /proc/fs/cifs/SecurityFlags to 1 it
will set them to CIFSSEC_MUST_NTLMV2 which no longer is
relevant (the less secure ones like lanman have been removed
from cifs.ko) and is also missing some flags (like for
signing and encryption) and can even cause mount to fail,
so change this to set it to Kerberos in this case.
Also change the description of the SecurityFlags to remove mention
of flags which are no longer supported.
Cc: stable@vger.kernel.org
Reviewed-by: Shyam Prasad N <sprasad@microsoft.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/admin-guide/cifs/usage.rst | 34 +++++++++----------------------
fs/smb/client/cifsglob.h | 4 +--
2 files changed, 12 insertions(+), 26 deletions(-)
--- a/Documentation/admin-guide/cifs/usage.rst
+++ b/Documentation/admin-guide/cifs/usage.rst
@@ -722,40 +722,26 @@ Configuration pseudo-files:
======================= =======================================================
SecurityFlags Flags which control security negotiation and
also packet signing. Authentication (may/must)
- flags (e.g. for NTLM and/or NTLMv2) may be combined with
+ flags (e.g. for NTLMv2) may be combined with
the signing flags. Specifying two different password
hashing mechanisms (as "must use") on the other hand
does not make much sense. Default flags are::
- 0x07007
+ 0x00C5
- (NTLM, NTLMv2 and packet signing allowed). The maximum
- allowable flags if you want to allow mounts to servers
- using weaker password hashes is 0x37037 (lanman,
- plaintext, ntlm, ntlmv2, signing allowed). Some
- SecurityFlags require the corresponding menuconfig
- options to be enabled. Enabling plaintext
- authentication currently requires also enabling
- lanman authentication in the security flags
- because the cifs module only supports sending
- laintext passwords using the older lanman dialect
- form of the session setup SMB. (e.g. for authentication
- using plain text passwords, set the SecurityFlags
- to 0x30030)::
+ (NTLMv2 and packet signing allowed). Some SecurityFlags
+ may require enabling a corresponding menuconfig option.
may use packet signing 0x00001
must use packet signing 0x01001
- may use NTLM (most common password hash) 0x00002
- must use NTLM 0x02002
may use NTLMv2 0x00004
must use NTLMv2 0x04004
- may use Kerberos security 0x00008
- must use Kerberos 0x08008
- may use lanman (weak) password hash 0x00010
- must use lanman password hash 0x10010
- may use plaintext passwords 0x00020
- must use plaintext passwords 0x20020
- (reserved for future packet encryption) 0x00040
+ may use Kerberos security (krb5) 0x00008
+ must use Kerberos 0x08008
+ may use NTLMSSP 0x00080
+ must use NTLMSSP 0x80080
+ seal (packet encryption) 0x00040
+ must seal (not implemented yet) 0x40040
cifsFYI If set to non-zero value, additional debug information
will be logged to the system error log. This field
--- a/fs/smb/client/cifsglob.h
+++ b/fs/smb/client/cifsglob.h
@@ -1837,8 +1837,8 @@ require use of the stronger protocol */
#define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */
#define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */
-#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP)
-#define CIFSSEC_MAX (CIFSSEC_MUST_NTLMV2)
+#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP | CIFSSEC_MAY_SEAL)
+#define CIFSSEC_MAX (CIFSSEC_MAY_SIGN | CIFSSEC_MUST_KRB5 | CIFSSEC_MAY_SEAL)
#define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP)
/*
*****************************************************************
next prev parent reply other threads:[~2024-07-16 15:56 UTC|newest]
Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-16 15:31 [PATCH 6.1 00/96] 6.1.100-rc1 review Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 01/96] mm: prevent derefencing NULL ptr in pfn_section_valid() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 02/96] cachefiles: propagate errors from vfs_getxattr() to avoid infinite loop Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 03/96] cachefiles: narrow the scope of triggering EPOLLIN events in ondemand mode Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 04/96] cachefiles: stop sending new request when dropping object Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 05/96] cachefiles: cancel all requests for the object that is being dropped Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 06/96] cachefiles: wait for ondemand_object_worker to finish when dropping object Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 07/96] cachefiles: cyclic allocation of msg_id to avoid reuse Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 08/96] cachefiles: add missing lock protection when polling Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 09/96] filelock: fix potential use-after-free in posix_lock_inode Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 10/96] fs/dcache: Re-use value stored to dentry->d_flags instead of re-reading Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 11/96] vfs: dont mod negative dentry count when on shrinker list Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 12/96] tcp: fix incorrect undo caused by DSACK of TLP retransmit Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 13/96] net: phy: microchip: lan87xx: reinit PHY after cable test Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 14/96] skmsg: Skip zero length skb in sk_msg_recvmsg Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 15/96] octeontx2-af: Fix incorrect value output on error path in rvu_check_rsrc_availability() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 16/96] net: fix rc7s __skb_datagram_iter() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 17/96] i40e: Fix XDP program unloading while removing the driver Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 18/96] net: ethernet: lantiq_etop: fix double free in detach Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 19/96] bpf: Refactor some inode/task/sk storage functions for reuse Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 20/96] bpf: Reduce smap->elem_size Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 21/96] bpf: use bpf_map_kvcalloc in bpf_local_storage Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 22/96] bpf: Remove __bpf_local_storage_map_alloc Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 23/96] bpf: fix order of args in call to bpf_map_kvcalloc Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 24/96] net: ethernet: mtk-star-emac: set mac_managed_pm when probing Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 25/96] ppp: reject claimed-as-LCP but actually malformed packets Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 26/96] ethtool: netlink: do not return SQI value if link is down Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 27/96] udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 28/96] net/sched: Fix UAF when resolving a clash Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 29/96] net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 30/96] s390: Mark psw in __load_psw_mask() as __unitialized Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 31/96] firmware: cs_dsp: Fix overflow checking of wmfw header Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 32/96] firmware: cs_dsp: Return error if block header overflows file Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 33/96] firmware: cs_dsp: Validate payload length before processing block Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 34/96] firmware: cs_dsp: Prevent buffer overrun when processing V2 alg headers Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 35/96] firmware: cs_dsp: Use strnlen() on name fields in V1 wmfw files Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 36/96] ARM: davinci: Convert comma to semicolon Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 37/96] octeontx2-af: replace cpt slot with lf id on reg write Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 38/96] octeontx2-af: update cpt lf alloc mailbox Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 39/96] octeontx2-af: fix a issue with cpt_lf_alloc mailbox Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 40/96] octeontx2-af: fix detection of IP layer Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 41/96] octeontx2-af: extend RSS supported offload types Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 42/96] octeontx2-af: fix issue with IPv6 ext match for RSS Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 43/96] octeontx2-af: fix issue with IPv4 " Greg Kroah-Hartman
2024-07-16 15:31 ` Greg Kroah-Hartman [this message]
2024-07-16 15:31 ` [PATCH 6.1 45/96] Revert "sched/fair: Make sure to try to detach at least one movable task" Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 46/96] tcp: use signed arithmetic in tcp_rtx_probe0_timed_out() Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 47/96] tcp: avoid too many retransmit packets Greg Kroah-Hartman
2024-07-16 15:31 ` [PATCH 6.1 48/96] net: ks8851: Fix deadlock with the SPI chip variant Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 49/96] net: ks8851: Fix potential TX stall after interface reopen Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 50/96] USB: serial: option: add Telit generic core-dump composition Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 51/96] USB: serial: option: add Telit FN912 rmnet compositions Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 52/96] USB: serial: option: add Fibocom FM350-GL Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 53/96] USB: serial: option: add support for Foxconn T99W651 Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 54/96] USB: serial: option: add Netprisma LCUK54 series modules Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 55/96] USB: serial: option: add Rolling RW350-GL variants Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 56/96] USB: serial: mos7840: fix crash on resume Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 57/96] USB: Add USB_QUIRK_NO_SET_INTF quirk for START BP-850k Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 58/96] usb: gadget: configfs: Prevent OOB read/write in usb_string_copy() Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 59/96] USB: core: Fix duplicate endpoint bug by clearing reserved bits in the descriptor Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 60/96] hpet: Support 32-bit userspace Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 61/96] xhci: always resume roothubs if xHC was reset during resume Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 62/96] ksmbd: discard write access to the directory open Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 63/96] nvmem: rmem: Fix return value of rmem_read() Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 64/96] nvmem: meson-efuse: Fix return value of nvmem callbacks Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 65/96] nvmem: core: only change name to fram for current attribute Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 66/96] platform/x86: toshiba_acpi: Fix array out-of-bounds access Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 67/96] ALSA: hda/realtek: add quirk for Clevo V5[46]0TU Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 68/96] ALSA: hda/realtek: Enable Mute LED on HP 250 G7 Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 69/96] ALSA: hda/realtek: Limit mic boost on VAIO PRO PX Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 70/96] Fix userfaultfd_api to return EINVAL as expected Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 71/96] libceph: fix race between delayed_work() and ceph_monc_stop() Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 72/96] ACPI: processor_idle: Fix invalid comparison with insertion sort for latency Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 73/96] wireguard: selftests: use acpi=off instead of -no-acpi for recent QEMU Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 74/96] wireguard: allowedips: avoid unaligned 64-bit memory accesses Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 75/96] wireguard: queueing: annotate intentional data race in cpu round robin Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 76/96] wireguard: send: annotate intentional data race in checking empty queue Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 77/96] misc: fastrpc: Fix DSP capabilities request Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 78/96] misc: fastrpc: Avoid updating PD type for capability request Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 79/96] misc: fastrpc: Copy the complete capability structure to user Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 80/96] x86/retpoline: Move a NOENDBR annotation to the SRSO dummy return thunk Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 81/96] cifs: use origin fullpath for automounts Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 82/96] cifs: avoid dup prefix path in dfs_get_automount_devname() Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 83/96] bpf: Allow reads from uninit stack Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 84/96] nilfs2: fix kernel bug on rename operation of broken directory Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 85/96] sched: Move psi_account_irqtime() out of update_rq_clock_task() hotpath Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 86/96] i2c: rcar: bring hardware to known state when probing Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 87/96] i2c: mark HostNotify target address as used Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 88/96] i2c: rcar: reset controller is mandatory for Gen3+ Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 89/96] i2c: rcar: introduce Gen4 devices Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 90/96] i2c: rcar: ensure Gen3+ reset does not disturb local targets Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 91/96] i2c: testunit: avoid re-issued work after read message Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 92/96] i2c: rcar: clear NO_RXDMA flag after resetting Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 93/96] x86/entry/64: Remove obsolete comment on tracing vs. SYSRET Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 94/96] x86/bhi: Avoid warning in #DB handler due to BHI mitigation Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 95/96] kbuild: Make ld-version.sh more robust against version string changes Greg Kroah-Hartman
2024-07-16 15:32 ` [PATCH 6.1 96/96] i2c: rcar: fix error code in probe() Greg Kroah-Hartman
2024-07-16 18:38 ` [PATCH 6.1 00/96] 6.1.100-rc1 review SeongJae Park
2024-07-16 18:42 ` Florian Fainelli
2024-07-16 19:01 ` Pavel Machek
2024-07-16 20:29 ` Naresh Kamboju
2024-07-17 6:24 ` Greg Kroah-Hartman
2024-07-17 15:51 ` Shuah Khan
2024-07-17 16:57 ` Allen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240716152748.202145545@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=patches@lists.linux.dev \
--cc=sprasad@microsoft.com \
--cc=stable@vger.kernel.org \
--cc=stfrench@microsoft.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox