hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

cifs: allow disabling insecure dialects in the config 

allow disabling cifs (SMB1 ie vers=1.0) and vers=2.0 in the
config for the build of cifs.ko if want to always prevent mounting
with these less secure dialects.

Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Steve French 2018-06-19 14:34:08 -05:00
parent 8505c8bfd8
commit 7420451f6a
2 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
fs/cifs/Kconfig
View File

@ -66,9 +66,24 @@ config CIFS_STATS2
Unless you are a developer or are doing network performance analysis Unless you are a developer or are doing network performance analysis
or tuning, say N. or tuning, say N.
config CIFS_ALLOW_INSECURE_LEGACY
bool "Support legacy servers which use less secure dialects"
depends on CIFS
default y
help
Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have
additional security features, including protection against
man-in-the-middle attacks and stronger crypto hashes, so the use
of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged.
Disabling this option prevents users from using vers=1.0 or vers=2.0
on mounts with cifs.ko
If unsure, say Y.
config CIFS_WEAK_PW_HASH config CIFS_WEAK_PW_HASH
bool "Support legacy servers which use weaker LANMAN security" bool "Support legacy servers which use weaker LANMAN security"
depends on CIFS depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY
help help
Modern CIFS servers including Samba and most Windows versions Modern CIFS servers including Samba and most Windows versions
(since 1997) support stronger NTLM (and even NTLMv2 and Kerberos) (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos)

9
fs/cifs/connect.c
View File

@ -1174,6 +1174,7 @@ cifs_parse_smb_version(char *value, struct smb_vol *vol, bool is_smb3)
substring_t args[MAX_OPT_ARGS]; substring_t args[MAX_OPT_ARGS];
switch (match_token(value, cifs_smb_version_tokens, args)) { switch (match_token(value, cifs_smb_version_tokens, args)) {
#ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
case Smb_1: case Smb_1:
if (disable_legacy_dialects) { if (disable_legacy_dialects) {
cifs_dbg(VFS, "mount with legacy dialect disabled\n"); cifs_dbg(VFS, "mount with legacy dialect disabled\n");
@ -1198,6 +1199,14 @@ cifs_parse_smb_version(char *value, struct smb_vol *vol, bool is_smb3)
vol->ops = &smb20_operations; vol->ops = &smb20_operations;
vol->vals = &smb20_values; vol->vals = &smb20_values;
break; break;
#else
case Smb_1:
cifs_dbg(VFS, "vers=1.0 (cifs) mount not permitted when legacy dialects disabled\n");
return 1;
case Smb_20:
cifs_dbg(VFS, "vers=2.0 mount not permitted when legacy dialects disabled\n");
return 1;
#endif /* CIFS_ALLOW_INSECURE_LEGACY */
case Smb_21: case Smb_21:
vol->ops = &smb21_operations; vol->ops = &smb21_operations;
vol->vals = &smb21_values; vol->vals = &smb21_values;