[Bug 2099914] Re: CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials cache
Matthew Ruffell
2099914 at bugs.launchpad.net
Wed Apr 30 01:58:42 UTC 2025
** Description changed:
BugLink: https://bugs.launchpad.net/bugs/2099914
[Impact]
This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to
disclosing sensitive data from the host or container Kerberos credentials cache
by accessing the wrong credential cache that doesn't belong to the current user.
Consider the following scenario:
A CIFS/SMB file share is mounted on a host node using Kerberos
authentication.
During the session setup phase, the Linux kernel's cifs.ko module makes an
upcall to user space to retrieve the Kerberos service ticket from the credential
cache.
In typical (non-container) environments, this process works correctly, but in
containerized environments, the upcall may be directed to a different namespace
than intended, leading to issues. For example:
a) The file share is mounted on the host node at /mnt/testshare1, meaning the
Kerberos credential cache is stored in the host's namespace.
b) A Docker container is created, and the file share path /mnt/testshare1 is
exported to the container at /sharedpath.
c) When the service ticket expires and the SMB connection is lost, before the
ticket is refreshed in the credential cache, an application inside the container
performs a file operation. This triggers the kernel to attempt a session
reconnect.
d) During the session setup, a Kerberos ticket is needed, so the kernel invokes
the cifs.upcall binary using the request_key function. However, cifs.upcall
switches to the namespace of the caller (i.e., the container), causing it to
attempt to read the credential cache from the container's namespace. But since
the original mount happened in the host namespace, the credential cache is
located on the host, not in the container. This results in the upcall failing
to access the correct credential cache or accessinng credential cache which
doesn't belong to correct user.
[Fix]
The fix adds a "upcall_target" mount parameter that needs to be present in both
the kernel and cifs-utils. "upcall_target" specifies what namespace to find the
kerberos credential cache, and takes options "mount" being the host namespace,
or "app", being the container namespace. The language is intended to suit
Kubernetes based usecases.
The kernel requires the following commit:
commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
Author: Ritvik Budhiraja <rbudhiraja at microsoft.com>
Date: Mon Nov 11 11:43:51 2024 +0000
Subject: CIFS: New mount option for cifs.upcall namespace resolution
Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
This landed in 6.13 mainline, and is already in plucky. Oracular is a clean
cherry pick, noble and jammy requires a context adjustment backport and focal
needed a heavy backport.
Test packages are available in the following ppa:
https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport
In addition, a userspace fix is also needed in cifs-utils, with the following
commits:
commit 89b679228cc1be9739d54203d28289b03352c174
From: Ritvik Budhiraja <rbudhiraja at microsoft.com>
Date: Tue, 19 Nov 2024 06:07:58 +0000
Subject: CIFS.upcall to accomodate new namespace mount opt
Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174
commit cf63240489431e98033e599a7c9437b59494a2e4
From: Ritvik Budhiraja <rbudhiraja at microsoft.com>
Date: Thu, 30 Jan 2025 14:13:10 +0000
Subject: cifs-utils: add documentation for upcall_target
Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4
These were a part of 7.2 upstream. Plucky already has this release, so we just
need to fix oracular, noble, jammy and focal.
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test
If you install the test packages, you can now use the upcall_target argument
with either "mount" or "app" options.
[Testcase]
Some knowledge of kerberos will go a long way to help you make this all
work.
We should be able to do all testing on the same VM.
1) Create a fresh VM
2) sudo apt update
3) sudo apt upgrade
4) sudo hostnamectl set-hostname samba-dc
5) sudo vim /etc/hosts
Add an entry with its IP address, e.g.:
192.168.122.124 samba-dc samba-dc.example.com
6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils
Note: skip config of kerberos KDC.
7) sudo rm /etc/krb5.conf
8) sudo rm /etc/samba/smb.conf
9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1
10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
11) sudo systemctl mask smbd nmbd winbind
12) sudo systemctl disable smbd nmbd winbind
13) sudo systemctl stop smbd nmbd winbind
14) sudo systemctl unmask samba-ad-dc
15) sudo systemctl start samba-ad-dc
16) sudo systemctl enable samba-ad-dc
17) sudo reboot
18) sudo systemctl stop systemd-resolved
19) sudo systemctl disable systemd-resolved
20) cat << EOF >> /etc/resolv.conf
nameserver 192.168.122.124
search SAMBA
EOF
21) sudo reboot
22) host -t SRV _ldap._tcp.samba-dc.example.com
_ldap._tcp.samba-dc.example.com has SRV record 0 100 389 samba-dc.samba-dc.example.com.
23) $ smbclient -L localhost -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
sysvol Disk
netlogon Disk
IPC$ IPC IPC Service (Samba 4.13.17-Ubuntu)
SMB1 disabled -- no workgroup available
24) $ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter SAMBA\Administrator's password:
. D 0 Mon Feb 28 04:23:22 2022
.. D 0 Mon Feb 28 04:23:27 2022
9983232 blocks of size 1024. 7995324 blocks available
25) kinit administrator
Password for administrator at SAMBA-DC.EXAMPLE.COM:
Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025
26) klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator at SAMBA-DC.EXAMPLE.COM
Valid starting Expires Service principal
04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/SAMBA-DC.EXAMPLE.COM at SAMBA-DC.EXAMPLE.COM
renew until 04/10/25 02:53:22
27) Create a share:
28) sudo mkdir -p /srv/samba/Demo/
29) sudo vim /etc/samba/smb.conf
[Demo]
path = /srv/samba/Demo/
read only = no
30) sudo chmod 0770 /srv/samba/Demo/
31) smbclient -U Administrator //samba-dc.example.com/demo
Password for [SAMBA\Administrator]:
Try "help" to get a list of possible commands.
smb: \>
32) smbclient -U Administrator --use-krb5-ccache=/tmp/krb5cc_1000 //samba-dc.example.com/demo
Try "help" to get a list of possible commands.
smb: \>
33) klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator at SAMBA-DC.EXAMPLE.COM
Valid starting Expires Service principal
04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/SAMBA-DC.EXAMPLE.COM at SAMBA-DC.EXAMPLE.COM
renew until 04/10/25 02:53:22
04/09/25 02:58:16 04/09/25 12:53:27 cifs/samba-dc.example.com at EXAMPLE.COM
renew until 04/10/25 02:53:22
Ticket server: cifs/samba-dc.example.com at SAMBA-DC.EXAMPLE.COM
04/09/25 02:58:16 04/09/25 12:53:27 cifs/samba-dc.example.com at SAMBA-DC.EXAMPLE.COM
renew until 04/10/25 02:53:22
34) sudo -s
35) # kinit Administrator at SAMBA-DC.EXAMPLE.COM
Password for Administrator at SAMBA-DC.EXAMPLE.COM:
Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at SAMBA-DC.EXAMPLE.COM
Valid starting Expires Service principal
04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/SAMBA-DC.EXAMPLE.COM at SAMBA-DC.EXAMPLE.COM
renew until 04/10/25 03:26:06
36) # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
37) # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at SAMBA-DC.EXAMPLE.COM
Valid starting Expires Service principal
04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/SAMBA-DC.EXAMPLE.COM at SAMBA-DC.EXAMPLE.COM
renew until 04/10/25 03:26:06
04/09/25 03:30:26 04/09/25 13:26:10 cifs/samba-dc.example.com@
renew until 04/10/25 03:26:06
Ticket server: cifs/samba-dc.example.com at SAMBA-DC.EXAMPLE.COM
38) journalctl
kernel: netfs: FS-Cache loaded
kernel: Key type cifs.spnego registered
kernel: Key type cifs.idmap registered
kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). T>
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1805]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6ee
cifs.upcall[1806]: ver=2
cifs.upcall[1806]: host=samba-dc.example.com
cifs.upcall[1806]: ip=192.168.122.124
cifs.upcall[1806]: sec=1
cifs.upcall[1806]: uid=0
cifs.upcall[1806]: creduid=0
cifs.upcall[1806]: user=root
cifs.upcall[1806]: pid=1774
cifs.upcall[1805]: get_cachename_from_process_env: pid == 0
cifs.upcall[1805]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1805]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1805]: handle_krb5_mech: using native krb5
cifs.upcall[1805]: handle_krb5_mech: obtained service ticket
cifs.upcall[1805]: Exit status 0
Take note of the line:
get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
39) # stat /mnt/testshare1
File: /mnt/testshare1
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,41 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 02:54:45.264000000 +0000
Modify: 2025-04-09 02:54:45.264000000 +0000
Change: 2025-04-09 02:54:45.264000000 +0000
Birth: 2025-04-09 02:54:45.264000000 +0000
40) sudo apt install docker.io
41) docker pull ubuntu:24.04
42) docker run -it -v /mnt/testshare1:/mnt/shared --name cifstest ubuntu:24.04 /bin/bash
43) root at 685c7e420afc:/# stat /mnt/shared
File: /mnt/shared
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,41 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 02:54:45.264000000 +0000
Modify: 2025-04-09 02:54:45.264000000 +0000
Change: 2025-04-09 02:54:45.264000000 +0000
Birth: 2025-04-09 02:54:45.264000000 +0000
root at 685c7e420afc:/# ls /mnt/shared
44) root at 685c7e420afc:/# apt install krb5-user
45) root at 685c7e420afc:/# vim /etc/krb5.conf
Edit default_cache_name to /tmp/krb5cc_000 save and exit.
- 46) Back on the host in root:
- # kdestory
- # umount /mnt/testshare1
+ 46) Back on the host in root, clear initial kerberos crediental cache and disconnect cifs connections.
+ # kdestroy -c /tmp/krb5cc_0
+ # ss -K dport 445
47) Back in the container:
root at 685c7e420afc:/# stat /mnt/shared
48) Back on the host in root:
# journalctl
CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
CIFS: VFS: //samba-dc.example.com/demo Send error in SessSetup = -126
cifs.upcall[1805]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6ee
cifs.upcall[1806]: ver=2
cifs.upcall[1806]: host=samba-dc.example.com
cifs.upcall[1806]: ip=192.168.122.124
cifs.upcall[1806]: sec=1
cifs.upcall[1806]: uid=0
cifs.upcall[1806]: creduid=0
cifs.upcall[1806]: user=root
cifs.upcall[1806]: pid=2162
cifs.upcall[1805]: get_cachename_from_process_env: pid == 0
cifs.upcall[1805]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000
check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_000)
cifs.upcall: get_tgt_time: unable to get principal
cifs.upcall: main: valid TGT is not present in credential cache
cifs.upcall: krb5_parse_name: -1765328160
cifs.upcall[1805]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1805]: handle_krb5_mech: using native krb5
Note that it now tries to read /tmp/krb5cc_000 from container namespace instead
of /tmp/krb5cc_0 from host namespace.
If you install the test packages from the following ppas:
https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport
https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test
When you initially mount the cifs filesystem, use the new mount option
upcall_target=mount.
# mount -t cifs -o
cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=mount
//samba-dc.example.com/demo /mnt/testshare1
Repeat the testcase. When we disconnect the cifs connection and try stat inside
the container, the kerberos crediental cache should be /tmp/krb5cc_0 in the
host namespace.
get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
[Where problems can occur]
We are adding a new mount option to cifs in both the kernel and in cifs-
utils.
Existing cifs-utils packages need to not break when making upcalls to kernels
that have this new upcall_target option, and existing kernels need to not break
when using new cifs-utils packages that set upcall_target without the necessary
in kernel support.
We need to be careful to test three scenarios:
* patched kernel, patched cifs-utils
* patched kernel, existing cifs-utils
* existing kernel, patched cifs-utils
If a regression were to occur, it could affect mounting of cifs / smb shares and
users would not be able to access their data.
Additionally, if a regression were to occur, we could also further confuse what
namespace is to be used for accessing the user's kerberos credentials cache,
which could disclose data from the host or container namespace to the incorrect
namespace.
[Other info]
CVE-2025-2312
https://ubuntu.com/security/CVE-2025-2312
https://nvd.nist.gov/vuln/detail/CVE-2025-2312
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/2099914
Title:
CVE-2025-2312 cifs.upcall could access incorrect kerberos credentials
cache
Status in cifs-utils package in Ubuntu:
Fix Released
Status in linux package in Ubuntu:
Fix Released
Status in cifs-utils source package in Focal:
In Progress
Status in linux source package in Focal:
In Progress
Status in cifs-utils source package in Jammy:
In Progress
Status in linux source package in Jammy:
In Progress
Status in cifs-utils source package in Noble:
In Progress
Status in linux source package in Noble:
In Progress
Status in cifs-utils source package in Oracular:
In Progress
Status in linux source package in Oracular:
In Progress
Status in cifs-utils source package in Plucky:
Fix Released
Status in linux source package in Plucky:
Fix Released
Bug description:
BugLink: https://bugs.launchpad.net/bugs/2099914
[Impact]
This is CVE-2025-2312, where namespace confusion by cifs.upcall may lead to
disclosing sensitive data from the host or container Kerberos credentials cache
by accessing the wrong credential cache that doesn't belong to the current user.
Consider the following scenario:
A CIFS/SMB file share is mounted on a host node using Kerberos
authentication.
During the session setup phase, the Linux kernel's cifs.ko module makes an
upcall to user space to retrieve the Kerberos service ticket from the credential
cache.
In typical (non-container) environments, this process works correctly, but in
containerized environments, the upcall may be directed to a different namespace
than intended, leading to issues. For example:
a) The file share is mounted on the host node at /mnt/testshare1, meaning the
Kerberos credential cache is stored in the host's namespace.
b) A Docker container is created, and the file share path /mnt/testshare1 is
exported to the container at /sharedpath.
c) When the service ticket expires and the SMB connection is lost, before the
ticket is refreshed in the credential cache, an application inside the container
performs a file operation. This triggers the kernel to attempt a session
reconnect.
d) During the session setup, a Kerberos ticket is needed, so the kernel invokes
the cifs.upcall binary using the request_key function. However, cifs.upcall
switches to the namespace of the caller (i.e., the container), causing it to
attempt to read the credential cache from the container's namespace. But since
the original mount happened in the host namespace, the credential cache is
located on the host, not in the container. This results in the upcall failing
to access the correct credential cache or accessinng credential cache which
doesn't belong to correct user.
[Fix]
The fix adds a "upcall_target" mount parameter that needs to be present in both
the kernel and cifs-utils. "upcall_target" specifies what namespace to find the
kerberos credential cache, and takes options "mount" being the host namespace,
or "app", being the container namespace. The language is intended to suit
Kubernetes based usecases.
The kernel requires the following commit:
commit db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
Author: Ritvik Budhiraja <rbudhiraja at microsoft.com>
Date: Mon Nov 11 11:43:51 2024 +0000
Subject: CIFS: New mount option for cifs.upcall namespace resolution
Link: https://github.com/torvalds/linux/commit/db363b0a1d9e6b9dc556296f1b1007aeb496a8cf
This landed in 6.13 mainline, and is already in plucky. Oracular is a clean
cherry pick, noble and jammy requires a context adjustment backport and focal
needed a heavy backport.
Test packages are available in the following ppa:
https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport
In addition, a userspace fix is also needed in cifs-utils, with the following
commits:
commit 89b679228cc1be9739d54203d28289b03352c174
From: Ritvik Budhiraja <rbudhiraja at microsoft.com>
Date: Tue, 19 Nov 2024 06:07:58 +0000
Subject: CIFS.upcall to accomodate new namespace mount opt
Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=89b679228cc1be9739d54203d28289b03352c174
commit cf63240489431e98033e599a7c9437b59494a2e4
From: Ritvik Budhiraja <rbudhiraja at microsoft.com>
Date: Thu, 30 Jan 2025 14:13:10 +0000
Subject: cifs-utils: add documentation for upcall_target
Link: https://git.samba.org/?p=cifs-utils.git;a=commit;h=cf63240489431e98033e599a7c9437b59494a2e4
These were a part of 7.2 upstream. Plucky already has this release, so we just
need to fix oracular, noble, jammy and focal.
Test packages are available in the following ppa:
https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test
If you install the test packages, you can now use the upcall_target argument
with either "mount" or "app" options.
[Testcase]
Some knowledge of kerberos will go a long way to help you make this
all work.
We should be able to do all testing on the same VM.
1) Create a fresh VM
2) sudo apt update
3) sudo apt upgrade
4) sudo hostnamectl set-hostname samba-dc
5) sudo vim /etc/hosts
Add an entry with its IP address, e.g.:
192.168.122.124 samba-dc samba-dc.example.com
6) sudo apt install -y samba smbclient winbind libpam-winbind libnss-winbind krb5-kdc libpam-krb5 cifs-utils
Note: skip config of kerberos KDC.
7) sudo rm /etc/krb5.conf
8) sudo rm /etc/samba/smb.conf
9) sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=SAMBA_INTERNAL --realm=samba-dc.EXAMPLE.COM --domain=SAMBA --adminpass=Password1
10) sudo cp /var/lib/samba/private/krb5.conf /etc/krb5.conf
11) sudo systemctl mask smbd nmbd winbind
12) sudo systemctl disable smbd nmbd winbind
13) sudo systemctl stop smbd nmbd winbind
14) sudo systemctl unmask samba-ad-dc
15) sudo systemctl start samba-ad-dc
16) sudo systemctl enable samba-ad-dc
17) sudo reboot
18) sudo systemctl stop systemd-resolved
19) sudo systemctl disable systemd-resolved
20) cat << EOF >> /etc/resolv.conf
nameserver 192.168.122.124
search SAMBA
EOF
21) sudo reboot
22) host -t SRV _ldap._tcp.samba-dc.example.com
_ldap._tcp.samba-dc.example.com has SRV record 0 100 389 samba-dc.samba-dc.example.com.
23) $ smbclient -L localhost -N
Anonymous login successful
Sharename Type Comment
--------- ---- -------
sysvol Disk
netlogon Disk
IPC$ IPC IPC Service (Samba 4.13.17-Ubuntu)
SMB1 disabled -- no workgroup available
24) $ smbclient //localhost/netlogon -UAdministrator -c 'ls'
Enter SAMBA\Administrator's password:
. D 0 Mon Feb 28 04:23:22 2022
.. D 0 Mon Feb 28 04:23:27 2022
9983232 blocks of size 1024. 7995324 blocks available
25) kinit administrator
Password for administrator at SAMBA-DC.EXAMPLE.COM:
Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025
26) klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator at SAMBA-DC.EXAMPLE.COM
Valid starting Expires Service principal
04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/SAMBA-DC.EXAMPLE.COM at SAMBA-DC.EXAMPLE.COM
renew until 04/10/25 02:53:22
27) Create a share:
28) sudo mkdir -p /srv/samba/Demo/
29) sudo vim /etc/samba/smb.conf
[Demo]
path = /srv/samba/Demo/
read only = no
30) sudo chmod 0770 /srv/samba/Demo/
31) smbclient -U Administrator //samba-dc.example.com/demo
Password for [SAMBA\Administrator]:
Try "help" to get a list of possible commands.
smb: \>
32) smbclient -U Administrator --use-krb5-ccache=/tmp/krb5cc_1000 //samba-dc.example.com/demo
Try "help" to get a list of possible commands.
smb: \>
33) klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: administrator at SAMBA-DC.EXAMPLE.COM
Valid starting Expires Service principal
04/09/25 02:53:27 04/09/25 12:53:27 krbtgt/SAMBA-DC.EXAMPLE.COM at SAMBA-DC.EXAMPLE.COM
renew until 04/10/25 02:53:22
04/09/25 02:58:16 04/09/25 12:53:27 cifs/samba-dc.example.com at EXAMPLE.COM
renew until 04/10/25 02:53:22
Ticket server: cifs/samba-dc.example.com at SAMBA-DC.EXAMPLE.COM
04/09/25 02:58:16 04/09/25 12:53:27 cifs/samba-dc.example.com at SAMBA-DC.EXAMPLE.COM
renew until 04/10/25 02:53:22
34) sudo -s
35) # kinit Administrator at SAMBA-DC.EXAMPLE.COM
Password for Administrator at SAMBA-DC.EXAMPLE.COM:
Warning: Your password will expire in 41 days on Wed May 21 02:51:02 2025
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at SAMBA-DC.EXAMPLE.COM
Valid starting Expires Service principal
04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/SAMBA-DC.EXAMPLE.COM at SAMBA-DC.EXAMPLE.COM
renew until 04/10/25 03:26:06
36) # mount -t cifs -o cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0 //samba-dc.example.com/demo /mnt/testshare1
37) # klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: Administrator at SAMBA-DC.EXAMPLE.COM
Valid starting Expires Service principal
04/09/25 03:26:10 04/09/25 13:26:10 krbtgt/SAMBA-DC.EXAMPLE.COM at SAMBA-DC.EXAMPLE.COM
renew until 04/10/25 03:26:06
04/09/25 03:30:26 04/09/25 13:26:10 cifs/samba-dc.example.com@
renew until 04/10/25 03:26:06
Ticket server: cifs/samba-dc.example.com at SAMBA-DC.EXAMPLE.COM
38) journalctl
kernel: netfs: FS-Cache loaded
kernel: Key type cifs.spnego registered
kernel: Key type cifs.idmap registered
kernel: CIFS: No dialect specified on mount. Default has changed to a more secure dialect, SMB2.1 or later (e.g. SMB3.1.1), from CIFS (SMB1). T>
kernel: CIFS: enabling forceuid mount option implicitly because uid= option is specified
kernel: CIFS: enabling forcegid mount option implicitly because gid= option is specified
kernel: CIFS: Attempting to mount //samba-dc.example.com/demo
cifs.upcall[1805]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6ee
cifs.upcall[1806]: ver=2
cifs.upcall[1806]: host=samba-dc.example.com
cifs.upcall[1806]: ip=192.168.122.124
cifs.upcall[1806]: sec=1
cifs.upcall[1806]: uid=0
cifs.upcall[1806]: creduid=0
cifs.upcall[1806]: user=root
cifs.upcall[1806]: pid=1774
cifs.upcall[1805]: get_cachename_from_process_env: pid == 0
cifs.upcall[1805]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
cifs.upcall[1805]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1805]: handle_krb5_mech: using native krb5
cifs.upcall[1805]: handle_krb5_mech: obtained service ticket
cifs.upcall[1805]: Exit status 0
Take note of the line:
get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
39) # stat /mnt/testshare1
File: /mnt/testshare1
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,41 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 02:54:45.264000000 +0000
Modify: 2025-04-09 02:54:45.264000000 +0000
Change: 2025-04-09 02:54:45.264000000 +0000
Birth: 2025-04-09 02:54:45.264000000 +0000
40) sudo apt install docker.io
41) docker pull ubuntu:24.04
42) docker run -it -v /mnt/testshare1:/mnt/shared --name cifstest ubuntu:24.04 /bin/bash
43) root at 685c7e420afc:/# stat /mnt/shared
File: /mnt/shared
Size: 0 Blocks: 0 IO Block: 1048576 directory
Device: 0,41 Inode: 297860 Links: 2
Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2025-04-09 02:54:45.264000000 +0000
Modify: 2025-04-09 02:54:45.264000000 +0000
Change: 2025-04-09 02:54:45.264000000 +0000
Birth: 2025-04-09 02:54:45.264000000 +0000
root at 685c7e420afc:/# ls /mnt/shared
44) root at 685c7e420afc:/# apt install krb5-user
45) root at 685c7e420afc:/# vim /etc/krb5.conf
Edit default_cache_name to /tmp/krb5cc_000 save and exit.
46) Back on the host in root, clear initial kerberos crediental cache and disconnect cifs connections.
# kdestroy -c /tmp/krb5cc_0
# ss -K dport 445
47) Back in the container:
root at 685c7e420afc:/# stat /mnt/shared
48) Back on the host in root:
# journalctl
CIFS: VFS: Verify user has a krb5 ticket and keyutils is installed
CIFS: VFS: //samba-dc.example.com/demo Send error in SessSetup = -126
cifs.upcall[1805]: key description: cifs.spnego;0;0;39010000;ver=0x2;host=samba-dc.example.com;ip4=192.168.122.124;sec=krb5;uid=0x0;creduid=0x0;user=root;pid=0x6ee
cifs.upcall[1806]: ver=2
cifs.upcall[1806]: host=samba-dc.example.com
cifs.upcall[1806]: ip=192.168.122.124
cifs.upcall[1806]: sec=1
cifs.upcall[1806]: uid=0
cifs.upcall[1806]: creduid=0
cifs.upcall[1806]: user=root
cifs.upcall[1806]: pid=2162
cifs.upcall[1805]: get_cachename_from_process_env: pid == 0
cifs.upcall[1805]: get_existing_cc: default ccache is FILE:/tmp/krb5cc_000
check_service_ticket_exists: unable to get client principal from cache: No credentials cache found (filename: /tmp/krb5cc_000)
cifs.upcall: get_tgt_time: unable to get principal
cifs.upcall: main: valid TGT is not present in credential cache
cifs.upcall: krb5_parse_name: -1765328160
cifs.upcall[1805]: handle_krb5_mech: getting service ticket for samba-dc.example.com
cifs.upcall[1805]: handle_krb5_mech: using native krb5
Note that it now tries to read /tmp/krb5cc_000 from container namespace instead
of /tmp/krb5cc_0 from host namespace.
If you install the test packages from the following ppas:
https://launchpad.net/~vpeixoto/+archive/ubuntu/cifs-backport
https://launchpad.net/~mruffell/+archive/ubuntu/sf407276-test
When you initially mount the cifs filesystem, use the new mount option
upcall_target=mount.
# mount -t cifs -o
cruid=root,user=root,sec=krb5i,uid=0,gid=0,cred=/tmp/krb5cc_0,upcall_target=mount
//samba-dc.example.com/demo /mnt/testshare1
Repeat the testcase. When we disconnect the cifs connection and try stat inside
the container, the kerberos crediental cache should be /tmp/krb5cc_0 in the
host namespace.
get_existing_cc: default ccache is FILE:/tmp/krb5cc_0
[Where problems can occur]
We are adding a new mount option to cifs in both the kernel and in
cifs-utils.
Existing cifs-utils packages need to not break when making upcalls to kernels
that have this new upcall_target option, and existing kernels need to not break
when using new cifs-utils packages that set upcall_target without the necessary
in kernel support.
We need to be careful to test three scenarios:
* patched kernel, patched cifs-utils
* patched kernel, existing cifs-utils
* existing kernel, patched cifs-utils
If a regression were to occur, it could affect mounting of cifs / smb shares and
users would not be able to access their data.
Additionally, if a regression were to occur, we could also further confuse what
namespace is to be used for accessing the user's kerberos credentials cache,
which could disclose data from the host or container namespace to the incorrect
namespace.
[Other info]
CVE-2025-2312
https://ubuntu.com/security/CVE-2025-2312
https://nvd.nist.gov/vuln/detail/CVE-2025-2312
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/2099914/+subscriptions
More information about the foundations-bugs
mailing list