Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/index.php/Reporting_Bug_Guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#70521 - cifs-utils: broken as of 6.13-1 (upstream confirmed)

Attached to Project: Arch Linux
Opened by Alexander Koch (lynix) - Tuesday, 20 April 2021, 18:17 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 26 April 2021, 16:22 GMT
Task Type Bug Report
Category Packages: Extra
Status Assigned   Reopened
Assigned To Tobias Powalowski (tpowa)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

Description:

cifs.upcall has received a fix for CVE-2021-20208 that contains a regression, making it impossible to mount a CIFS share using Krb5:

cifs.upcall[78171]: switch_to_process_ns: setns() failed for cgroup
cifs.upcall[78171]: unable to switch to process namespace: Operation not permitted
cifs.upcall[78171]: Exit status 1
mount[78168]: mount error(126): Required key not available
systemd[1]: mnt-server01-share01.mount: Mount process exited, code=exited, status=32/n/a
systemd[1]: mnt-server01-share01.mount: Failed with result 'exit-code'.

Upstream developers have confirmed this: https://www.spinics.net/lists/linux-cifs/msg21550.html

They also provided two workarounds:

1) building with libcap instead of libcapng
2) patching out the call to trim_capabilities() in cifs.upcall.c

I'm currently fine having downgraded the package to 6.12 as I'm not affected by the container vulnerability.

Additional info:
* package version(s): 6.13-1
* upstream discussion: https://www.spinics.net/lists/linux-cifs/msg21549.html

Steps to reproduce:
* install cifs-utils-6.13-1
* try to mount a CIFS share using krb5 ticket
This task depends upon

Comment by Alexander Koch (lynix) - Monday, 26 April 2021, 16:22 GMT
  • Field changed: Percent Complete (100% → 0%)
The workaround taken for cifs-utils 6.13-2 seems not to work for me.

Had to downgrade to 6.12-1 again.
Comment by mephinet (mephinet) - Monday, 26 April 2021, 20:40 GMT
I ran into the reported issue with 6.13-1, and I can confirm the re-open request: with 6.13-2, I still get the same error:

Apr 26 17:46:28 ... cifs.upcall[29647]: switch_to_process_ns: setns()
failed for cgroup
Apr 26 17:46:28 ... cifs.upcall[29647]: unable to switch to process
namespace: Operation not permitted
Apr 26 17:46:28 ... cifs.upcall[29647]: Exit status 1
Apr 26 17:46:28 ... kernel: CIFS: VFS: Verify user has a krb5 ticket and
keyutils is installed
Apr 26 17:46:28 ... kernel: CIFS: VFS: \\... Send error in SessSetup = -126
Apr 26 17:46:28 ... kernel: CIFS: VFS: cifs_mount failed w/return code =
-126

After reverting to 6.12-1, mounting is again possible.
Comment by Sergey Kvachonok (ravenexp) - Saturday, 17 July 2021, 14:00 GMT
I confirm that krb5 mounts are still broken when using cifs-utils 6.13-2.
Downgrading to 6.12-1 fixes the issue.

Loading...