From patchwork Wed Jun 26 12:15:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: vicvbcun X-Patchwork-Id: 65666 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id BF04427BBEA; Wed, 26 Jun 2024 13:16:29 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,MAILING_LIST_MULTI,SPF_HELO_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 644D327BBE9 for ; Wed, 26 Jun 2024 13:16:28 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1sMRZH-0002RC-J6; Wed, 26 Jun 2024 08:16:08 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sMRZB-0002L5-KJ for guix-patches@gnu.org; Wed, 26 Jun 2024 08:16:01 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1sMRZA-00043J-7J for guix-patches@gnu.org; Wed, 26 Jun 2024 08:16:00 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1sMRZC-0006kE-Bu for guix-patches@gnu.org; Wed, 26 Jun 2024 08:16:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#71594] [PATCH v3] file-systems: Allow specifying CIFS credentials in a file. Resent-From: vicvbcun Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 26 Jun 2024 12:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71594 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 71594@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.171940414425903 (code B ref -1); Wed, 26 Jun 2024 12:16:02 +0000 Received: (at submit) by debbugs.gnu.org; 26 Jun 2024 12:15:44 +0000 Received: from localhost ([127.0.0.1]:38702 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sMRYu-0006jj-2r for submit@debbugs.gnu.org; Wed, 26 Jun 2024 08:15:44 -0400 Received: from lists.gnu.org ([209.51.188.17]:54136) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sMRYr-0006jY-QI for submit@debbugs.gnu.org; Wed, 26 Jun 2024 08:15:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sMRYp-0002ES-6C for guix-patches@gnu.org; Wed, 26 Jun 2024 08:15:39 -0400 Received: from mo4-p00-ob.smtp.rzone.de ([81.169.146.216]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sMRYm-0003z5-Ts for guix-patches@gnu.org; Wed, 26 Jun 2024 08:15:38 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1719404133; cv=none; d=strato.com; s=strato-dkim-0002; b=pfyZ15TG5FkflUwf7Sjo3Dn1HQ8lt0JpesTOTcVEZD3AJtX38IeiHjsTUkHcg5t1+A A6jhNjt6uOJoMAqRcTVAU1M2+KJ87ZfEi9ABc4J6dGODyZgWOPgW7XJOHsBjrQxwAFig bAvSVpthXrebamfL7biFAxA9C2zUE/Aw1z0beApWrbTGXfl0+88WcdoLlA0fn1+WXluZ uzaaSQyrLwCRjFe1UoInfKrexDaPkAEYMXFWwK4LdMaWtNLohIbOQL3cAcF+MtphCcVs QB8siK4jINsT0m6D2N4xHefw1tIg1NYSp7AxS9OqkD9KM2J4oFM76ss6287lYkCOwzOt 1Jlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; t=1719404133; s=strato-dkim-0002; d=strato.com; h=References:In-Reply-To:Message-ID:Date:Subject:To:From:Cc:Date:From: Subject:Sender; bh=BK2jJg6KE+4jPsyS9TlAKNIwy91LNuHLhk75TW69Bmc=; b=Yw/FepRCSOIH7G4wFxk553SVjiYOQvOpmiE85XYk/1iVWsaTOPhHwNvtsWMv5ikdNf 9jMOR1sSp1Q+cDZmqOBed2CMziCOIMlUhnHKpLnoAt6RdNJCBd59oZ+OayLYcdHuKTIq 2QQwIAmaltj4bWxVzFtZTVo++tkMTAoMhrA59hBLjs+GpOCiyeAN3O1dsE4fwjUNCA/6 YEKrYF81M8ypxYUUvAN0yHQAShMLeaTANmS5M4kl2Z+ixrg/HLsFpLY7cwnXgFAq5oFC q8OT//fShOqHO2IejcROePUXkdNQu0NGCphLGGU4EoV8sd3EeYVQx6Jk2BfGold5caQm 6/WQ== ARC-Authentication-Results: i=1; strato.com; arc=none; dkim=none X-RZG-CLASS-ID: mo00 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1719404133; s=strato-dkim-0002; d=ikherbers.com; h=References:In-Reply-To:Message-ID:Date:Subject:To:From:Cc:Date:From: Subject:Sender; bh=BK2jJg6KE+4jPsyS9TlAKNIwy91LNuHLhk75TW69Bmc=; b=fSpL8D8E1pREQskKD3sqk8PJFrRrlMNompryQwIc2+cigzHEOEpG+RloxNYnaJqhC1 aFWqBRwvOpxl9O5huQzg8RIgMEex+v/cXdCpWq0JunmBJIjONU49+N4JaM/CPzI+wp4i UQCgKH2GxNDKwBfcmJZdvwQgQ/itR3uoFG1hF+7y1Mnl3wumA5Bo4746tBwUIGvjNYMa J5Ec/wRh6BBLTdrDlt9EZnSkClxHyiRiKijTC7IfBT/mqeBoTBBBDSP6FznbOQSotqG1 AwDA/bSSgvRopjGlBSpF7IYx4DIkmyzAfdodZzZBdUJfNNUxqzIAFlpNk4jywxtXULvk o1Ng== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; t=1719404133; s=strato-dkim-0003; d=ikherbers.com; h=References:In-Reply-To:Message-ID:Date:Subject:To:From:Cc:Date:From: Subject:Sender; bh=BK2jJg6KE+4jPsyS9TlAKNIwy91LNuHLhk75TW69Bmc=; b=eXobkdw1//ijZPabNUucS63ebRHZwgjj/HDFF7YauZptZBZlYYgvAEZ2YGe05R4oTI yPJAZrr1gx42ueNTdEDw== X-RZG-AUTH: ":IUwNfkitaf3qOWm2b/jA5tveVwUUcwH3PkiYp6DPxTDDEo4xO9elHknIgunRQh05vKLMci5dxXOIBqZfWRwGGEWVe6iWIjaiyRDnlA==" Received: from lambda.localdomain by smtp.strato.de (RZmta 50.5.0 AUTH) with ESMTPSA id 507f1505QCFX1Vz (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate) for ; Wed, 26 Jun 2024 14:15:33 +0200 (CEST) From: vicvbcun Date: Wed, 26 Jun 2024 14:15:28 +0200 Message-ID: <77362216cb1e0bdef5917ea6b97284c63288cb4b.1719352537.git.guix@ikherbers.com> X-Mailer: git-send-email 2.45.1 In-Reply-To: <434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com> References: <434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com> MIME-Version: 1.0 Received-SPF: none client-ip=81.169.146.216; envelope-from=guix@ikherbers.com; helo=mo4-p00-ob.smtp.rzone.de X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches As files in the store and /etc/fstab are world readable, specifying the password in the file-system record is suboptimal. To mitigate this, `mount.cifs' supports reading `username', `password' and `domain' options from a file named by the `credentials' or `cred' option. * gnu/build/file-systems.scm (mount-file-system): Read mount options from the file specified via the `credentials' or `cred' option if specified. Change-Id: I786c5da373fc26d45fe7a876c56a8c4854d18532 --- Changes since v2: - Add an implementation note to `read-cifs-credential-file'. Changes since v1: - rename `read-credential-file' to `read-cifs-credential-file' and rewrite using `match' - break lines earlier gnu/build/file-systems.scm | 42 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) base-commit: 2195f70936b7aeec123d4e95345f1007d3a7bb06 diff --git a/gnu/build/file-systems.scm b/gnu/build/file-systems.scm index ae29b36c4e..58e8170c0d 100644 --- a/gnu/build/file-systems.scm +++ b/gnu/build/file-systems.scm @@ -39,6 +39,7 @@ (define-module (gnu build file-systems) #:use-module (ice-9 match) #:use-module (ice-9 rdelim) #:use-module (ice-9 regex) + #:use-module (ice-9 string-fun) #:use-module (system foreign) #:autoload (system repl repl) (start-repl) #:use-module (srfi srfi-1) @@ -1186,6 +1187,39 @@ (define* (mount-file-system fs #:key (root "/root") (string-append "," options) ""))))) + (define (read-cifs-credential-file file) + ;; Read password, user and domain options from file + ;; + ;; XXX: As of version 7.0, mount.cifs strips all lines of leading + ;; whitespace, parses those starting with "pass", "user" and "dom" into + ;; "pass=", "user=" and "domain=" options respectively and ignores + ;; everything else. To simplify the implementation, we pass those lines + ;; as is. As a consequence, the "password2" option can be specified in a + ;; credential file with the expected semantics (see: + ;; https://issues.guix.gnu.org/71594#3). + (with-input-from-file file + (lambda () + (let loop + ((next-line (read-line)) + (lines '())) + (match next-line + ((? eof-object?) + lines) + ((= string-trim line) + (loop (read-line) + (cond + ((string-prefix? "pass" line) + ;; mount.cifs escapes commas in the password by doubling + ;; them + (cons (string-replace-substring line "," ",,") + lines)) + ((or (string-prefix? "user" line) + (string-prefix? "dom" line)) + (cons line lines)) + ;; Ignore all other lines. + (else + lines))))))))) + (define (mount-cifs source mount-point type flags options) ;; Source is of form "///" (let* ((regex-match (string-match "//([^/]+)/(.+)" source)) @@ -1194,6 +1228,9 @@ (define* (mount-file-system fs #:key (root "/root") ;; Match ",guest,", ",guest$", "^guest,", or "^guest$," not ;; e.g. user=foo,pass=notaguest (guest? (string-match "(^|,)(guest)($|,)" options)) + (credential-file (and=> (string-match "(^|,)(credentials|cred)=([^,]+)(,|$)" + options) + (cut match:substring <> 3))) ;; Perform DNS resolution now instead of attempting kernel dns ;; resolver upcalling. /sbin/request-key does not exist and the ;; kernel hardcodes the path. @@ -1218,6 +1255,11 @@ (define* (mount-file-system fs #:key (root "/root") ;; ignores it. Also, avoiding excess commas ;; when deleting is a pain. (string-append "," options) + "") + (if credential-file + ;; The "credentials" option is ignored too. + (string-join (read-cifs-credential-file credential-file) + "," 'prefix) ""))))) (let* ((type (file-system-type fs))