From unknown Wed Sep 10 10:35:38 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#71594] [PATCH] file-systems: Allow specifying CIFS credentials in a file. Resent-From: vicvbcun Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 16 Jun 2024 16:00:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 71594 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 71594@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.171855359232079 (code B ref -1); Sun, 16 Jun 2024 16:00:02 +0000 Received: (at submit) by debbugs.gnu.org; 16 Jun 2024 15:59:52 +0000 Received: from localhost ([127.0.0.1]:39843 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sIsIJ-0008LJ-Qp for submit@debbugs.gnu.org; Sun, 16 Jun 2024 11:59:52 -0400 Received: from lists.gnu.org ([209.51.188.17]:33422) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sIsII-0008LC-Ef for submit@debbugs.gnu.org; Sun, 16 Jun 2024 11:59:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sIsIG-00010I-MD for guix-patches@gnu.org; Sun, 16 Jun 2024 11:59:48 -0400 Received: from mo4-p00-ob.smtp.rzone.de ([81.169.146.162]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sIsIE-0003BJ-A0 for guix-patches@gnu.org; Sun, 16 Jun 2024 11:59:48 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1718553582; cv=none; d=strato.com; s=strato-dkim-0002; b=p0TW5zx5R4q1Q8AONH2QkkRUshYArtzv3CEqzCG346zWI0RaAGgRLzRZxxobC+kg8Z 7lBlBmu1AbqCOrwVfLaxEDAUP5mYBR0d0t4p6Fj3tDWCKKVwvcxJYVrbnYhzDkie8i6m Cf7K+bGEB4h2Kr2eERFtlizpHPqF76pCdeOcgRL9g1N4jRH32BQNdU4PnLd/EHwfS/s1 R411IWzXtstBjCA3C/xwitxVuZ9Kac8ELg2jPVbp+uwu9JtECjkQJJfExGlEcHJTedjL /T97+Bu2RbcFAP/e/BcxVa1iFdFC/Y5zFBw+OGh/wi2WFJts5ySi3wNHR0hxBdN/ebIp 12Qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; t=1718553582; s=strato-dkim-0002; d=strato.com; h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender; bh=Z1PYhM6dFbNhd/dv8nfZ3fpnwCkazBcCwFvv241xc8s=; b=tWHzAbjjG7PXdU2FUj4tFPyOAWh0P9IC1UsxD/ysOAWHoVutBdjOWuTEFsA2P1X3Kf JyzBk0K0g0LSAaPwZcFv55XzLvjlcneiguXMooCvBlxSw23Vf6HtdKNiT/vztcghvuK4 SJeyK6540p79YwvZtCfI11vvEh8OrC7Yk6oyCAlHt4R5YsS7aWwxMzTIZRYiogk0DV05 +ptPBxtB/Un0PmGw/jYQxZZeoEUrPDHPDh5I9S4YG78NACTnmh0hpFdHl+o0/Bmk39Rx q94SoUs0j506rWX7Jrksf/HzkNgsf2lbXWCqFpV7AappCHNf24AO5ua5Qy+e5cgKfKLP f5aA== ARC-Authentication-Results: i=1; strato.com; arc=none; dkim=none X-RZG-CLASS-ID: mo00 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1718553582; s=strato-dkim-0002; d=ikherbers.com; h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender; bh=Z1PYhM6dFbNhd/dv8nfZ3fpnwCkazBcCwFvv241xc8s=; b=iusKyacrYdtpUqPtEODrNbrM1UDAFNTZD0KAYrBeA0stWIjfdxJz8dejZfyfAS3Zvt 5HrMttKlTCgKyHP58d4VWcWr7UCUlLQHiE1dhfGdmKXd1rGYDuAKQ1sf43SzYX0jnbcD OUdVmbVchpuf8/6kns2y4ynPrcO2/nRQLUWZO9T7svK45gEpfHcxOpIzN0KSVABz8cCf 7PruKbxmLH6upRClXn5OGFou5zfAANcwFtWrl3D0dXKtHchXNgeA/a061/xlQMlzLWQa ELUOo+xaIwC4cFUimLSFwdEZnje/y5nHCauYhhq4MzMrKL2qhvIwlGJJpcQB7O8aHIQQ Sxiw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; t=1718553582; s=strato-dkim-0003; d=ikherbers.com; h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender; bh=Z1PYhM6dFbNhd/dv8nfZ3fpnwCkazBcCwFvv241xc8s=; b=1tm810uNDO8QGyqJ23BZbJg7iIfgloHD7DQcGu67uNkePzZs5uYyhXQYJ1jhbUo0Sv 6t6HD7TvnfAt5+9IUtBg== X-RZG-AUTH: ":IUwNfkitaf3qOWm2b/jA5tveVwUUcwH3PkiYp6DPxTDDEo4xO9elHkvI0r6JTEExTmUrmnl6ykGnvsiYyFkBs3LjhTWRb1/+yDNK" Received: from lambda.localdomain by smtp.strato.de (RZmta 50.5.0 AUTH) with ESMTPSA id 507f1505GFxgUga (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate) for ; Sun, 16 Jun 2024 17:59:42 +0200 (CEST) From: vicvbcun Date: Sun, 16 Jun 2024 17:59:38 +0200 Message-ID: <434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com> X-Mailer: git-send-email 2.45.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="us-ascii" Received-SPF: none client-ip=81.169.146.162; envelope-from=guix@ikherbers.com; helo=mo4-p00-ob.smtp.rzone.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) As files in the store and /etc/fstab are world readable, specifying the password in the file-system record is suboptimal. To mitigate this, `mount.cifs' supports reading `username', `password' and `domain' options from a file named by the `credentials' or `cred' option. * gnu/build/file-systems.scm (mount-file-system): Read mount options from the file specified via the `credentials' or `cred' option if specified. Change-Id: I786c5da373fc26d45fe7a876c56a8c4854d18532 --- `read-credential-file' is certainly not very elegant, but it matches what `mount.cifs' does. gnu/build/file-systems.scm | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/gnu/build/file-systems.scm b/gnu/build/file-systems.scm index ae29b36c4e..f0c16453e8 100644 --- a/gnu/build/file-systems.scm +++ b/gnu/build/file-systems.scm @@ -39,6 +39,7 @@ (define-module (gnu build file-systems) #:use-module (ice-9 match) #:use-module (ice-9 rdelim) #:use-module (ice-9 regex) + #:use-module (ice-9 string-fun) #:use-module (system foreign) #:autoload (system repl repl) (start-repl) #:use-module (srfi srfi-1) @@ -1186,6 +1187,28 @@ (define* (mount-file-system fs #:key (root "/root") (string-append "," options) ""))))) + (define (read-credential-file file) + ;; Read password, user and domain options from file + (with-input-from-file file + (lambda () + (let loop + ((next-line (read-line)) + (lines '())) + (if (not (eof-object? next-line)) + (loop (read-line) + (cond + ((string-match "^[[:space:]]*pass" next-line) + ;; mount.cifs escapes commas in the password by doubling + ;; them + (cons (string-replace-substring (string-trim next-line) "," ",,") + lines)) + ((string-match "^[[:space:]]*(user|dom)" next-line) + (cons (string-trim next-line) lines)) + ;; Ignore all other lines. + (else + lines))) + lines))))) + (define (mount-cifs source mount-point type flags options) ;; Source is of form "///" (let* ((regex-match (string-match "//([^/]+)/(.+)" source)) @@ -1194,6 +1217,8 @@ (define* (mount-file-system fs #:key (root "/root") ;; Match ",guest,", ",guest$", "^guest,", or "^guest$," not ;; e.g. user=foo,pass=notaguest (guest? (string-match "(^|,)(guest)($|,)" options)) + (credential-file (and=> (string-match "(^|,)(credentials|cred)=([^,]+)(,|$)" options) + (cut match:substring <> 3))) ;; Perform DNS resolution now instead of attempting kernel dns ;; resolver upcalling. /sbin/request-key does not exist and the ;; kernel hardcodes the path. @@ -1218,6 +1243,10 @@ (define* (mount-file-system fs #:key (root "/root") ;; ignores it. Also, avoiding excess commas ;; when deleting is a pain. (string-append "," options) + "") + (if credential-file + ;; The "credentials" option is ignored too. + (string-join (read-credential-file credential-file) "," 'prefix) ""))))) (let* ((type (file-system-type fs)) base-commit: 2195f70936b7aeec123d4e95345f1007d3a7bb06 -- 2.45.1 From unknown Wed Sep 10 10:35:38 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#71594] [PATCH] file-systems: Allow specifying CIFS credentials in a file. Resent-From: Richard Sent Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Tue, 18 Jun 2024 13:57:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71594 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: vicvbcun Cc: 71594@debbugs.gnu.org Received: via spool by 71594-submit@debbugs.gnu.org id=B71594.171871897216124 (code B ref 71594); Tue, 18 Jun 2024 13:57:01 +0000 Received: (at 71594) by debbugs.gnu.org; 18 Jun 2024 13:56:12 +0000 Received: from localhost ([127.0.0.1]:43801 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sJZJj-0004C0-QI for submit@debbugs.gnu.org; Tue, 18 Jun 2024 09:56:12 -0400 Received: from mail-108-mta111.mxroute.com ([136.175.108.111]:40639) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sJZJe-0004Bu-Hg for 71594@debbugs.gnu.org; Tue, 18 Jun 2024 09:56:10 -0400 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta111.mxroute.com (ZoneMTA) with ESMTPSA id 1902ba20c0f00017a3.001 for <71594@debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Tue, 18 Jun 2024 13:55:58 +0000 X-Zone-Loop: f33369070b287e64363f3995f290ab5871db19acb2ad X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Transfer-Encoding:Content-Type: MIME-Version:Message-ID:Date:References:In-Reply-To:Subject:Cc:To:From:Sender :Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help: List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=dQsC2LpYkb+eoGaxMr7T10H6bJJjT/uxbFd1VpIstTQ=; b=r5eisrFHDnJx71fl2CJr95IgdI NUVwRgQGHZy0RjzkDE+eSl5/0ClhIiqJhwqAS654+gqjSkWyGxgw5NVFnevxIx2xN1bnkWjycXpGZ +0QMKPhzGhjQZgpeto6nRxjHifj+YQHC4uBTrX5zVkN8OmL6n3WgyKsT9Bqo3zrn8nwD4cPAl2ECS gEWz2mxRzbs4yfLhS8B0MUB/Clokt8g5y2B2HJji9K29GVqUyaLusjFxStsRck6YHP9aV851igP7d A0o8aYczdFm/oBsxbLoQ7DshtDBqleOHoLvTyhLL1zFQX4gTETWiYGRb+Dbn5OBakvIw9vYfgowCo TUSF07Rw==; From: Richard Sent In-Reply-To: <434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com> (vicvbcun's message of "Sun, 16 Jun 2024 17:59:38 +0200") References: <434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com> Date: Tue, 18 Jun 2024 09:55:42 -0400 Message-ID: <877cem1hk1.fsf@freakingpenguin.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Authenticated-Id: richard@freakingpenguin.com X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) > + (define (read-credential-file file) > + ;; Read password, user and domain options from file > + (with-input-from-file file > + (lambda () > + (let loop > + ((next-line (read-line)) > + (lines '())) > + (if (not (eof-object? next-line)) > + (loop (read-line) > + (cond > + ((string-match "^[[:space:]]*pass" next-line) > + ;; mount.cifs escapes commas in the password by do= ubling > + ;; them > + (cons (string-replace-substring (string-trim next-= line) "," ",,") > + lines)) > + ((string-match "^[[:space:]]*(user|dom)" next-line) > + (cons (string-trim next-line) lines)) > + ;; Ignore all other lines. > + (else > + lines))) > + lines))))) I'd personally rename this to read-cifs-credential-file or cifs-read-credential-file if it's only used with cifs. You may be able to make this more compact by following a structure similar to authorized-shell-directory? in (guix scripts shell). I believe CIFS will add a password2 mount option in 6.9.4 [1]. We should check if mount.cifs supports putting that option in the credentials file and match their behavior. If that's too much an ask (Guix's mount.cifs may not be new enough), I think a comment or proactive bug report is appropriate. > + (credential-file (and=3D> (string-match "(^|,)(credentials|cred)=3D([^,= ]+)(,|$)" options) Line's a bit long, can we add a newline before options? > + (string-join (read-credential-file credential-file) "," 'prefix) Ditto with ",". Otherwise looks good to me. Thanks, with this I think we handle every mount option the same way as mount.cifs. =F0=9F=98=84 [1]: https://sambaxp.org/fileadmin/user_upload/sambaxp2024-Slides/sxp24-Fre= nch-accessing_remote.pdf, slide 25 --=20 Take it easy, Richard Sent Making my computer weirder one commit at a time. From unknown Wed Sep 10 10:35:38 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#71594] [PATCH v2] file-systems: Allow specifying CIFS credentials in a file. References: <434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com> In-Reply-To: <434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com> Resent-From: vicvbcun Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Jun 2024 13:00:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71594 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 71594@debbugs.gnu.org Cc: vicvbcun Received: via spool by 71594-submit@debbugs.gnu.org id=B71594.171888836529408 (code B ref 71594); Thu, 20 Jun 2024 13:00:02 +0000 Received: (at 71594) by debbugs.gnu.org; 20 Jun 2024 12:59:25 +0000 Received: from localhost ([127.0.0.1]:55852 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sKHNt-0007eF-1O for submit@debbugs.gnu.org; Thu, 20 Jun 2024 08:59:25 -0400 Received: from mo4-p00-ob.smtp.rzone.de ([81.169.146.219]:39971) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sKHNq-0007e0-Qw for 71594@debbugs.gnu.org; Thu, 20 Jun 2024 08:59:23 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1718888357; cv=none; d=strato.com; s=strato-dkim-0002; b=iT0Cs0WU2si01imXQrTISizeL6OPXgMYfKkOxda5qQ4cTFIIbqFqDdhVRg+4eoBLO5 0w42gm1GLxvYSrQTzSQJKBCP2YNUb25pRakUQrgXMNG66mxQahUwYVJ/+eTF9/ipe8rj ofjhGbIOOK8QtZ3mE5iKT/0k5NxwE7w1pDlV2Sppo8JuiivbeBpIB9pw61fGEk+j+jfW 4upAAClN6u0javXqIqy77q4fqnY4wg0sgO3Pe6h0MqKjtOb2s1YAnORDVPw9i6qsehdr uj2PjnPR5EkvqGBQf57AOUdozjXtSh4Xt3OVjhlqXh/JQ97bxuAaeKRFqBhh9nfYXxO7 ckaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; t=1718888357; s=strato-dkim-0002; d=strato.com; h=Message-ID:Date:Subject:Cc:To:From:Cc:Date:From:Subject:Sender; bh=1QH0lAIaTcHQrQzC0zOw+cn4sb0+hNnj3IqUmkoSLY4=; b=cNrnEkFf6N1mRzpt+LpbnYZJr/su5fh/o5bTvl5CPVdYZpRytB/UGEq6WfwT7xPtfq QWyvLwTg8Q/jT9tsihmUbxBY4Sa3agWPO9vvJpOS2mo5zkagcUKLagnYXMEhTkVlQ/ks 0OA4e+4WkE2TA3+5QPodKsmBONY7ffUKaG1loTpfeGXxT4JivvZsZkZPjRFh6ddfE07W EfHgrY1bBKlVao3OHQTRJEZhZ2MWdJ4DQUT5ATaWd7HYhmSK6DlQqLnneMWMFftBuW2g 50lP8yfb0kbl3t4llRM0BSq7nghE3KMBS4MvaDhoaS+leV0aFrU0nEgH7gyBXXIzhoE+ jTCg== ARC-Authentication-Results: i=1; strato.com; arc=none; dkim=none X-RZG-CLASS-ID: mo00 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1718888356; s=strato-dkim-0002; d=ikherbers.com; h=Message-ID:Date:Subject:Cc:To:From:Cc:Date:From:Subject:Sender; bh=1QH0lAIaTcHQrQzC0zOw+cn4sb0+hNnj3IqUmkoSLY4=; b=QZ5Bzd3VA3ythdaygFBAp0wuQACHOzhRrGO4jfpMLpVOR8vsyOwlNUyCSORuvC/Rg1 bJIE66QzQASJ+gY027yvUXb3mvTAUEjkIi0nVwfo2+MIzjCMmilKmDWcOvOfRLdyQibH HGbCIE9PVNrTD+PvMPIcWczGxQLmPr5nfi81jVHr6kkvhX9RYmDzDrywhD/6+/KtqMIt ipsoMSqT1dBxkF1VgcWgEtWIOvXRt+bBMG43I4qKlk58s67roPgbFTBa6REsD/Bvdmh7 z6I+HG8aut6WIS2Jao/ArARHasNB8FG2hc/fr+EG8MBsXVEChWR5lz1Fgx+3SBp1dhUd pfDA== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; t=1718888356; s=strato-dkim-0003; d=ikherbers.com; h=Message-ID:Date:Subject:Cc:To:From:Cc:Date:From:Subject:Sender; bh=1QH0lAIaTcHQrQzC0zOw+cn4sb0+hNnj3IqUmkoSLY4=; b=cdhZzhA8fxfRV6tkIjaBD2DV4POTM1fmvhmIbLmBNCtAeqGT7OFrNwV67Jh94SMRJc uboEpRBMOh5vLwYvjOCg== X-RZG-AUTH: ":IUwNfkitaf3qOWm2b/jA5tveVwUUcwH3PkiYp6DPxTDDEo4xO9elHknIgunRQh05vKLMci5dxXOIVKBfWRxZRSbO659f/07G5A9nYA==" Received: from lambda.localdomain by smtp.strato.de (RZmta 50.5.0 AUTH) with ESMTPSA id 507f1505KCxFjnC (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Thu, 20 Jun 2024 14:59:15 +0200 (CEST) From: vicvbcun Date: Thu, 20 Jun 2024 14:58:23 +0200 Message-ID: X-Mailer: git-send-email 2.45.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="us-ascii" X-Spam-Score: -0.7 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) From: vicvbcun As files in the store and /etc/fstab are world readable, specifying the password in the file-system record is suboptimal. To mitigate this, `mount.cifs' supports reading `username', `password' and `domain' options from a file named by the `credentials' or `cred' option. * gnu/build/file-systems.scm (mount-file-system): Read mount options from the file specified via the `credentials' or `cred' option if specified. Change-Id: I786c5da373fc26d45fe7a876c56a8c4854d18532 --- Changes since v1: - rename `read-credential-file' to `read-cifs-credential-file' and rewrite using `match' - break lines earlier gnu/build/file-systems.scm | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/gnu/build/file-systems.scm b/gnu/build/file-systems.scm index ae29b36c4e..387b4c1af4 100644 --- a/gnu/build/file-systems.scm +++ b/gnu/build/file-systems.scm @@ -39,6 +39,7 @@ (define-module (gnu build file-systems) #:use-module (ice-9 match) #:use-module (ice-9 rdelim) #:use-module (ice-9 regex) + #:use-module (ice-9 string-fun) #:use-module (system foreign) #:autoload (system repl repl) (start-repl) #:use-module (srfi srfi-1) @@ -1186,6 +1187,31 @@ (define* (mount-file-system fs #:key (root "/root") (string-append "," options) ""))))) + (define (read-cifs-credential-file file) + ;; Read password, user and domain options from file + (with-input-from-file file + (lambda () + (let loop + ((next-line (read-line)) + (lines '())) + (match next-line + ((? eof-object?) + lines) + ((= string-trim line) + (loop (read-line) + (cond + ((string-prefix? "pass" line) + ;; mount.cifs escapes commas in the password by doubling + ;; them + (cons (string-replace-substring line "," ",,") + lines)) + ((or (string-prefix? "user" line) + (string-prefix? "dom" line)) + (cons line lines)) + ;; Ignore all other lines. + (else + lines))))))))) + (define (mount-cifs source mount-point type flags options) ;; Source is of form "///" (let* ((regex-match (string-match "//([^/]+)/(.+)" source)) @@ -1194,6 +1220,9 @@ (define* (mount-file-system fs #:key (root "/root") ;; Match ",guest,", ",guest$", "^guest,", or "^guest$," not ;; e.g. user=foo,pass=notaguest (guest? (string-match "(^|,)(guest)($|,)" options)) + (credential-file (and=> (string-match "(^|,)(credentials|cred)=([^,]+)(,|$)" + options) + (cut match:substring <> 3))) ;; Perform DNS resolution now instead of attempting kernel dns ;; resolver upcalling. /sbin/request-key does not exist and the ;; kernel hardcodes the path. @@ -1218,6 +1247,11 @@ (define* (mount-file-system fs #:key (root "/root") ;; ignores it. Also, avoiding excess commas ;; when deleting is a pain. (string-append "," options) + "") + (if credential-file + ;; The "credentials" option is ignored too. + (string-join (read-cifs-credential-file credential-file) + "," 'prefix) ""))))) (let* ((type (file-system-type fs)) base-commit: 2195f70936b7aeec123d4e95345f1007d3a7bb06 -- 2.45.1 From unknown Wed Sep 10 10:35:38 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#71594] [PATCH] file-systems: Allow specifying CIFS credentials in a file. Resent-From: vicvbcun Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Jun 2024 13:17:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71594 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Richard Sent Cc: 71594@debbugs.gnu.org Received: via spool by 71594-submit@debbugs.gnu.org id=B71594.171888940431641 (code B ref 71594); Thu, 20 Jun 2024 13:17:02 +0000 Received: (at 71594) by debbugs.gnu.org; 20 Jun 2024 13:16:44 +0000 Received: from localhost ([127.0.0.1]:56304 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sKHed-0008EH-J4 for submit@debbugs.gnu.org; Thu, 20 Jun 2024 09:16:43 -0400 Received: from mo4-p00-ob.smtp.rzone.de ([85.215.255.22]:39901) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sKHeb-0008E1-BL for 71594@debbugs.gnu.org; Thu, 20 Jun 2024 09:16:42 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1718889392; cv=none; d=strato.com; s=strato-dkim-0002; b=jzpygK/UDQpz7t7+ZyBnNqlMuUqudPkFm/IV87ixWOBr93c5F+pzvkB002/kH8gJ8D mYzAlcD3f92sBVXb66V9zfc+w+IPVd3DBWaeP1FCkp54J2+uDvZfH0J5M40xRzLrEf1v DeJVa1y8Q2fdkW9beG04fRzNYRD/yA4dzNToaq54UmJo6Lbsq5zq+IR2XLruLcvDbk4s OJhlxKPPBKBBvGkvcapURamVJhLDfwI3wsyllYijhXU1z5N3fVmldUqRW/uX4R9QXKra BuDrJiPWE6XUQIqUAkjAc41Is04/MwdthdtCQrbqtfqEdREk/7YfEQav6XEeXAy65jKE Uf+A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; t=1718889392; s=strato-dkim-0002; d=strato.com; h=In-Reply-To:References:Message-ID:Subject:Cc:To:From:Date:Cc:Date: From:Subject:Sender; bh=BhKvs6VW+6nkIxIZjK2IGjhDb71jB9q0sJbaydSOswM=; b=mS25cVfxWkavcvEdYvntDOGIH7B1mBMASrTeHHb6oXYyls/2eMmHVEA3T7lC9h1i4L n33uHIeRroBr8zKpnWs1a02BVWBeDZvFH3j3CylDjquSojDMpErKo24QjTj5bvFxlKAY 7wlZEjKyoocxihJrVR/i1E0Gt6foF7fe6clNjq1tVgIziC7yZqjYQoEPIau5ndKWIRgw XBt+LAIZUk2iK8UrdNX/zB22orJbhjg+U346GXEXhHmyMBor7WcZL8seFhDdukZL+Q+V 9JwMTDYHnTZeMn6LWcDmGVFSiK5Yk4pYRfL0Fj7ar7eabHv5pNUJ9XrgMgprk5AXHWtw dLMg== ARC-Authentication-Results: i=1; strato.com; arc=none; dkim=none X-RZG-CLASS-ID: mo00 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1718889392; s=strato-dkim-0002; d=ikherbers.com; h=In-Reply-To:References:Message-ID:Subject:Cc:To:From:Date:Cc:Date: From:Subject:Sender; bh=BhKvs6VW+6nkIxIZjK2IGjhDb71jB9q0sJbaydSOswM=; b=Q9ka9v00K4G/+1Bi0JxFPNqbakMd5AQcLnjPj+WmjV5ri+//YPsX5WrnjBp+ckpTJn d1RgUgpPOczTFVBz6sbCEhNwQ6LPmaPYBxXk2HP9J3X3pNRxK82qFwXC59hJOw3JcrRD uN1b4xdzikdpH1axjWK96JUtTV/ymCdHzwxcfWlKnJwoN69zXqE4qIh85shQlljdT1LO jPf1Ijnf+qk0YOkiji+WN7ORnw0ERKk30jcf65gGMIO+ctq0K5VwVNrXKPyd+1k/vZny x1vM2cJIjYuzSO8RHQ1VOOFdX/tVcPxRXBFQXeORX14vWkXin8Me/C3r0g6XgUsTPUJs UQ0g== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; t=1718889392; s=strato-dkim-0003; d=ikherbers.com; h=In-Reply-To:References:Message-ID:Subject:Cc:To:From:Date:Cc:Date: From:Subject:Sender; bh=BhKvs6VW+6nkIxIZjK2IGjhDb71jB9q0sJbaydSOswM=; b=TjCF1LB/HauULEgmNd9X7plgjxXnPtH+3O0Wt4I7RuEyBqdAgdj7XJbNTH6CskPFDa nxzqfh/Dfe4VnarL+UDA== X-RZG-AUTH: ":IUwNfkitaf3qOWm2b/jA5tveVwUUcwH3PkiYp6DPxTDDEo4xO9SmHnazdiAbr2Pc6C1TBA==" Received: from lambda.localdomain by smtp.strato.de (RZmta 50.5.0 DYNA|AUTH) with ESMTPSA id 507f1505KDGWju4 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Thu, 20 Jun 2024 15:16:32 +0200 (CEST) Date: Thu, 20 Jun 2024 15:16:32 +0200 From: vicvbcun Message-ID: References: <434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com> <877cem1hk1.fsf@freakingpenguin.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <877cem1hk1.fsf@freakingpenguin.com> X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, thanks for the review! On 2024-06-18T09:55:42-0400, Richard Sent wrote: > [...] > I'd personally rename this to read-cifs-credential-file or > cifs-read-credential-file if it's only used with cifs. done > You may be able to make this more compact by following a structure > similar to authorized-shell-directory? in (guix scripts shell). I rewrote it using `match'; while not more compact, I like it more. > I believe CIFS will add a password2 mount option in 6.9.4 [1]. We should > check if mount.cifs supports putting that option in the credentials file > and match their behavior. If that's too much an ask (Guix's mount.cifs > may not be new enough), I think a comment or proactive bug report is > appropriate. If my understanding is correct, the `password2' option is just a way to supply an additional password the kernel may use when rotating passwords. Looking at the latest version of mount.cifs[0], it doesn't seem to handle `password2' intentionally: Passing `password2' on the command line should work, but only because the return value of `parse_opt_token' is not checked for `OPT_ERROR'; in a credentials file it is accepted (as `parse_cred_line' only checks for a "pass" prefix) but passed as `password' instead. I think that being able to specify `password2' in a credentials file makes sense and my patch doesn't forbid it. If exposing an interface identical to that of `mount.cifs' and preserving the exact semantics (e.g `mount.cifs' complains when multiple passwords are specified and takes the first one) is the ultimate goal, I'd just shell out to `mount.cifs'. I certainly won't implement all the idiosyncrasies :). 0: https://git.samba.org/?p=cifs-utils.git;a=blob;f=mount.cifs.c;h=3b7a6b3c22e8c3b563c7ea92ecb9891fdfac01a6;hb=refs/heads/for-next > > + (credential-file (and=> (string-match "(^|,)(credentials|cred)=([^,]+)(,|$)" options) > > Line's a bit long, can we add a newline before options? done > > + (string-join (read-credential-file credential-file) "," 'prefix) > > Ditto with ",". done > Otherwise looks good to me. Thanks, with this I think we handle every > mount option the same way as mount.cifs. 😄 > > [1]: https://sambaxp.org/fileadmin/user_upload/sambaxp2024-Slides/sxp24-French-accessing_remote.pdf, > slide 25 > > -- > Take it easy, > Richard Sent > Making my computer weirder one commit at a time. vicvbcun From unknown Wed Sep 10 10:35:38 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#71594] [PATCH] file-systems: Allow specifying CIFS credentials in a file. Resent-From: Richard Sent Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Thu, 20 Jun 2024 15:23:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71594 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: vicvbcun Cc: 71594@debbugs.gnu.org Received: via spool by 71594-submit@debbugs.gnu.org id=B71594.171889696017555 (code B ref 71594); Thu, 20 Jun 2024 15:23:02 +0000 Received: (at 71594) by debbugs.gnu.org; 20 Jun 2024 15:22:40 +0000 Received: from localhost ([127.0.0.1]:33270 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sKJcU-0004Z1-VV for submit@debbugs.gnu.org; Thu, 20 Jun 2024 11:22:39 -0400 Received: from mail-108-mta123.mxroute.com ([136.175.108.123]:41013) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sKJcS-0004Yq-3M for 71594@debbugs.gnu.org; Thu, 20 Jun 2024 11:22:37 -0400 Received: from filter006.mxroute.com ([136.175.111.3] filter006.mxroute.com) (Authenticated sender: mN4UYu2MZsgR) by mail-108-mta123.mxroute.com (ZoneMTA) with ESMTPSA id 190363dfa5900017a3.001 for <71594@debbugs.gnu.org> (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384); Thu, 20 Jun 2024 15:22:29 +0000 X-Zone-Loop: 1c16b64483e5c5d50cddecfa2dc9414fd26dd2228356 X-Originating-IP: [136.175.111.3] DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=freakingpenguin.com; s=x; h=Content-Type:MIME-Version:Message-ID:Date: References:In-Reply-To:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=xYm/wHq3V6p5NS3II9hr5bEJqyKFvqtAs31VKp/z+NY=; b=K8nUuQUnb793jjYwFEIjc0TLcb N/QinPBcoBH+MUUk6LN1iMGjCYPYOPHMX8IYMWb1VjaUQECUQeaoUcIjRD0zRu+YH5QWErNMD0vym 4EtOGLuv+Fjnwj04HV8rrV+Z6BcNxG0LXAahTrXrwB7zrVlsW98oVQ7OOPVBtNKNb42iIwWRNRoGF abnAJeJ/Wmg9BD9PcU6AJEze5LxZEa7qub6il5wq1t27Kx+rDg8ugESs6u2x1B1iIqMVMIFAYkURy U1niBh0+AZuAYekbwTGYpsFfdJWEwfQPRCMN2boQba2CBYvmL+YLHXneCuZ9ttgEZDNgIbxPOMyQg dbRgOR5g==; From: Richard Sent In-Reply-To: (vicvbcun's message of "Thu, 20 Jun 2024 15:16:32 +0200") References: <434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com> <877cem1hk1.fsf@freakingpenguin.com> Date: Thu, 20 Jun 2024 11:22:15 -0400 Message-ID: <87v823r654.fsf@freakingpenguin.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Authenticated-Id: richard@freakingpenguin.com X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi vicvbcun! vicvbcun writes: > Hi, > > thanks for the review! >> I believe CIFS will add a password2 mount option in 6.9.4 [1]. We should >> check if mount.cifs supports putting that option in the credentials file >> and match their behavior. If that's too much an ask (Guix's mount.cifs >> may not be new enough), I think a comment or proactive bug report is >> appropriate. > > Looking at the latest version of mount.cifs[0], it doesn't seem to > handle `password2' intentionally: Passing `password2' on the command > line should work, but only because the return value of `parse_opt_token' > is not checked for `OPT_ERROR'; in a credentials file it is accepted (as > `parse_cred_line' only checks for a "pass" prefix) but passed as > `password' instead. > > I think that being able to specify `password2' in a credentials file > makes sense and my patch doesn't forbid it. > > If exposing an interface identical to that of `mount.cifs' and > preserving the exact semantics (e.g `mount.cifs' complains when multiple > passwords are specified and takes the first one) is the ultimate goal, > I'd just shell out to `mount.cifs'. I certainly won't implement all the > idiosyncrasies :). > > 0: https://git.samba.org/?p=cifs-utils.git;a=blob;f=mount.cifs.c;h=3b7a6b3c22e8c3b563c7ea92ecb9891fdfac01a6;hb=refs/heads/for-next Agreed, emulating mount.cifs in totality is too much. My concern with divergences in functionality is most users will read mount.cifs documentation for CIFS mount-options and whatnot, then potentially get bit when Guix does something different. In this case the divergence is small and shouldn't cause issues. I think a XXX: style comment is appropriate. --8<---------------cut here---------------start------------->8--- ;; Read password, user and domain options from file ;; ;; XXX: Unlike mount.cifs this function reads password2 in the ;; credential file and returns it separately from password. --8<---------------cut here---------------end--------------->8--- I wouldn't be surprised if mount.cifs eventually adopts the same behavior. I can't think of a reason why putting password2 in the credentials file shouldn't be supported. -- Take it easy, Richard Sent Making my computer weirder one commit at a time. From unknown Wed Sep 10 10:35:38 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#71594] [PATCH v3] file-systems: Allow specifying CIFS credentials in a file. Resent-From: vicvbcun Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 26 Jun 2024 12:16:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71594 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 71594@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.171940414425903 (code B ref -1); Wed, 26 Jun 2024 12:16:02 +0000 Received: (at submit) by debbugs.gnu.org; 26 Jun 2024 12:15:44 +0000 Received: from localhost ([127.0.0.1]:38702 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sMRYu-0006jj-2r for submit@debbugs.gnu.org; Wed, 26 Jun 2024 08:15:44 -0400 Received: from lists.gnu.org ([209.51.188.17]:54136) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sMRYr-0006jY-QI for submit@debbugs.gnu.org; Wed, 26 Jun 2024 08:15:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sMRYp-0002ES-6C for guix-patches@gnu.org; Wed, 26 Jun 2024 08:15:39 -0400 Received: from mo4-p00-ob.smtp.rzone.de ([81.169.146.216]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sMRYm-0003z5-Ts for guix-patches@gnu.org; Wed, 26 Jun 2024 08:15:38 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1719404133; cv=none; d=strato.com; s=strato-dkim-0002; b=pfyZ15TG5FkflUwf7Sjo3Dn1HQ8lt0JpesTOTcVEZD3AJtX38IeiHjsTUkHcg5t1+A A6jhNjt6uOJoMAqRcTVAU1M2+KJ87ZfEi9ABc4J6dGODyZgWOPgW7XJOHsBjrQxwAFig bAvSVpthXrebamfL7biFAxA9C2zUE/Aw1z0beApWrbTGXfl0+88WcdoLlA0fn1+WXluZ uzaaSQyrLwCRjFe1UoInfKrexDaPkAEYMXFWwK4LdMaWtNLohIbOQL3cAcF+MtphCcVs QB8siK4jINsT0m6D2N4xHefw1tIg1NYSp7AxS9OqkD9KM2J4oFM76ss6287lYkCOwzOt 1Jlw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; t=1719404133; s=strato-dkim-0002; d=strato.com; h=References:In-Reply-To:Message-ID:Date:Subject:To:From:Cc:Date:From: Subject:Sender; bh=BK2jJg6KE+4jPsyS9TlAKNIwy91LNuHLhk75TW69Bmc=; b=Yw/FepRCSOIH7G4wFxk553SVjiYOQvOpmiE85XYk/1iVWsaTOPhHwNvtsWMv5ikdNf 9jMOR1sSp1Q+cDZmqOBed2CMziCOIMlUhnHKpLnoAt6RdNJCBd59oZ+OayLYcdHuKTIq 2QQwIAmaltj4bWxVzFtZTVo++tkMTAoMhrA59hBLjs+GpOCiyeAN3O1dsE4fwjUNCA/6 YEKrYF81M8ypxYUUvAN0yHQAShMLeaTANmS5M4kl2Z+ixrg/HLsFpLY7cwnXgFAq5oFC q8OT//fShOqHO2IejcROePUXkdNQu0NGCphLGGU4EoV8sd3EeYVQx6Jk2BfGold5caQm 6/WQ== ARC-Authentication-Results: i=1; strato.com; arc=none; dkim=none X-RZG-CLASS-ID: mo00 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1719404133; s=strato-dkim-0002; d=ikherbers.com; h=References:In-Reply-To:Message-ID:Date:Subject:To:From:Cc:Date:From: Subject:Sender; bh=BK2jJg6KE+4jPsyS9TlAKNIwy91LNuHLhk75TW69Bmc=; b=fSpL8D8E1pREQskKD3sqk8PJFrRrlMNompryQwIc2+cigzHEOEpG+RloxNYnaJqhC1 aFWqBRwvOpxl9O5huQzg8RIgMEex+v/cXdCpWq0JunmBJIjONU49+N4JaM/CPzI+wp4i UQCgKH2GxNDKwBfcmJZdvwQgQ/itR3uoFG1hF+7y1Mnl3wumA5Bo4746tBwUIGvjNYMa J5Ec/wRh6BBLTdrDlt9EZnSkClxHyiRiKijTC7IfBT/mqeBoTBBBDSP6FznbOQSotqG1 AwDA/bSSgvRopjGlBSpF7IYx4DIkmyzAfdodZzZBdUJfNNUxqzIAFlpNk4jywxtXULvk o1Ng== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; t=1719404133; s=strato-dkim-0003; d=ikherbers.com; h=References:In-Reply-To:Message-ID:Date:Subject:To:From:Cc:Date:From: Subject:Sender; bh=BK2jJg6KE+4jPsyS9TlAKNIwy91LNuHLhk75TW69Bmc=; b=eXobkdw1//ijZPabNUucS63ebRHZwgjj/HDFF7YauZptZBZlYYgvAEZ2YGe05R4oTI yPJAZrr1gx42ueNTdEDw== X-RZG-AUTH: ":IUwNfkitaf3qOWm2b/jA5tveVwUUcwH3PkiYp6DPxTDDEo4xO9elHknIgunRQh05vKLMci5dxXOIBqZfWRwGGEWVe6iWIjaiyRDnlA==" Received: from lambda.localdomain by smtp.strato.de (RZmta 50.5.0 AUTH) with ESMTPSA id 507f1505QCFX1Vz (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate) for ; Wed, 26 Jun 2024 14:15:33 +0200 (CEST) From: vicvbcun Date: Wed, 26 Jun 2024 14:15:28 +0200 Message-ID: <77362216cb1e0bdef5917ea6b97284c63288cb4b.1719352537.git.guix@ikherbers.com> X-Mailer: git-send-email 2.45.1 In-Reply-To: <434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com> References: <434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="us-ascii" Received-SPF: none client-ip=81.169.146.216; envelope-from=guix@ikherbers.com; helo=mo4-p00-ob.smtp.rzone.de X-Spam_score_int: -27 X-Spam_score: -2.8 X-Spam_bar: -- X-Spam_report: (-2.8 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_PASS=-0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) As files in the store and /etc/fstab are world readable, specifying the password in the file-system record is suboptimal. To mitigate this, `mount.cifs' supports reading `username', `password' and `domain' options from a file named by the `credentials' or `cred' option. * gnu/build/file-systems.scm (mount-file-system): Read mount options from the file specified via the `credentials' or `cred' option if specified. Change-Id: I786c5da373fc26d45fe7a876c56a8c4854d18532 --- Changes since v2: - Add an implementation note to `read-cifs-credential-file'. Changes since v1: - rename `read-credential-file' to `read-cifs-credential-file' and rewrite using `match' - break lines earlier gnu/build/file-systems.scm | 42 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/gnu/build/file-systems.scm b/gnu/build/file-systems.scm index ae29b36c4e..58e8170c0d 100644 --- a/gnu/build/file-systems.scm +++ b/gnu/build/file-systems.scm @@ -39,6 +39,7 @@ (define-module (gnu build file-systems) #:use-module (ice-9 match) #:use-module (ice-9 rdelim) #:use-module (ice-9 regex) + #:use-module (ice-9 string-fun) #:use-module (system foreign) #:autoload (system repl repl) (start-repl) #:use-module (srfi srfi-1) @@ -1186,6 +1187,39 @@ (define* (mount-file-system fs #:key (root "/root") (string-append "," options) ""))))) + (define (read-cifs-credential-file file) + ;; Read password, user and domain options from file + ;; + ;; XXX: As of version 7.0, mount.cifs strips all lines of leading + ;; whitespace, parses those starting with "pass", "user" and "dom" into + ;; "pass=", "user=" and "domain=" options respectively and ignores + ;; everything else. To simplify the implementation, we pass those lines + ;; as is. As a consequence, the "password2" option can be specified in a + ;; credential file with the expected semantics (see: + ;; https://issues.guix.gnu.org/71594#3). + (with-input-from-file file + (lambda () + (let loop + ((next-line (read-line)) + (lines '())) + (match next-line + ((? eof-object?) + lines) + ((= string-trim line) + (loop (read-line) + (cond + ((string-prefix? "pass" line) + ;; mount.cifs escapes commas in the password by doubling + ;; them + (cons (string-replace-substring line "," ",,") + lines)) + ((or (string-prefix? "user" line) + (string-prefix? "dom" line)) + (cons line lines)) + ;; Ignore all other lines. + (else + lines))))))))) + (define (mount-cifs source mount-point type flags options) ;; Source is of form "///" (let* ((regex-match (string-match "//([^/]+)/(.+)" source)) @@ -1194,6 +1228,9 @@ (define* (mount-file-system fs #:key (root "/root") ;; Match ",guest,", ",guest$", "^guest,", or "^guest$," not ;; e.g. user=foo,pass=notaguest (guest? (string-match "(^|,)(guest)($|,)" options)) + (credential-file (and=> (string-match "(^|,)(credentials|cred)=([^,]+)(,|$)" + options) + (cut match:substring <> 3))) ;; Perform DNS resolution now instead of attempting kernel dns ;; resolver upcalling. /sbin/request-key does not exist and the ;; kernel hardcodes the path. @@ -1218,6 +1255,11 @@ (define* (mount-file-system fs #:key (root "/root") ;; ignores it. Also, avoiding excess commas ;; when deleting is a pain. (string-append "," options) + "") + (if credential-file + ;; The "credentials" option is ignored too. + (string-join (read-cifs-credential-file credential-file) + "," 'prefix) ""))))) (let* ((type (file-system-type fs)) base-commit: 2195f70936b7aeec123d4e95345f1007d3a7bb06 -- 2.45.1 From unknown Wed Sep 10 10:35:38 2025 X-Loop: help-debbugs@gnu.org Subject: [bug#71594] [PATCH] file-systems: Allow specifying CIFS credentials in a file. Resent-From: guix@ikherbers.com Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Wed, 26 Jun 2024 12:33:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 71594 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: Richard Sent Cc: 71594@debbugs.gnu.org Received: via spool by 71594-submit@debbugs.gnu.org id=B71594.171940518027595 (code B ref 71594); Wed, 26 Jun 2024 12:33:02 +0000 Received: (at 71594) by debbugs.gnu.org; 26 Jun 2024 12:33:00 +0000 Received: from localhost ([127.0.0.1]:38735 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sMRpb-0007B0-GV for submit@debbugs.gnu.org; Wed, 26 Jun 2024 08:32:59 -0400 Received: from mo4-p00-ob.smtp.rzone.de ([85.215.255.22]:38327) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sMRpZ-0007Aq-Dv for 71594@debbugs.gnu.org; Wed, 26 Jun 2024 08:32:58 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1719405171; cv=none; d=strato.com; s=strato-dkim-0002; b=K17oxvPPGL2IniRBvVwFFfABmzFm/oaHROjs+4btDoZfU4YFpX923WPmJAKo2LSPRW x7YqybD8rYYqYpxh583EvkmkqhIlcQzMsHq0ZCjAxyETD3cH7/mXOScFPfdLfrrFqy6u VtK0evzj9QBE2hqIPNfU0aFBsR3EcUJV6VNOMWRnxLCopOhT197ud/r7LOXRpfby5KP/ kd/5Fhvak+EzntKpds+/9YYgWlaEUgh4o41z4shuJgKzR3E9/R2IvGYDniTMMAs/+Yc/ TXlr6uL/VD4hGp34zWI92Znk2Z6EBPL+2HQFMOq7PrWT/4Gwylq1+92J0IOiHcCXvfJ5 soqw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; t=1719405171; s=strato-dkim-0002; d=strato.com; h=In-Reply-To:References:Message-ID:Subject:Cc:To:From:Date:Cc:Date: From:Subject:Sender; bh=tG7hVpElqw2u0sDNWhlHnnhJPcxS60HtendWCc+HzVk=; b=n45vkLbk8Yi7SAEksltp63Rr8b8t0UGA/szhhjbRTGoWjrFSaX2XpmMzEwXUeXnhXP oumeLLsmIKseHk2XKUIXUXbiKQ9k2Li0HFkHitZskuSQafjzlg1EV5VN2wvzD2Ti+a6H Xkg/txlUCfIPr2rN8FObZRroQPQrSQj2A++gyE1bc/tbna+6KFpPQDz6AXbP3SepJImL JOcU7awhHPySf/C7oYPEbSifQ/++H+C0z+itCbtFZ+eUy9mCp0bEENLatcU8a3d82dcr LLGMZ0ztQ4x5OPsV2MCYCFYwGhM6LDLlW/10muzFbedr2DYLaBiJF1CNG2iDm2E+Zy3M aGKw== ARC-Authentication-Results: i=1; strato.com; arc=none; dkim=none X-RZG-CLASS-ID: mo00 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1719405171; s=strato-dkim-0002; d=ikherbers.com; h=In-Reply-To:References:Message-ID:Subject:Cc:To:From:Date:Cc:Date: From:Subject:Sender; bh=tG7hVpElqw2u0sDNWhlHnnhJPcxS60HtendWCc+HzVk=; b=oOpPePAqL+pLSpWc5/W3uvfD22ETnnGyQ8pFcRFZHIGS16ywTNH+qLHi/KUFJ/pBcX 7HYPWtyggOB+M5ukrot9iY1wghxA82Cr2rx0IsyKZJf9M+ArINedPj062Qhjd0OIPkCe NEtRHVmFAqTumRMuhn/Bi7EMZt0Xkwb5KP/SZyJdE3a6lXowuAWgNbVGYZRpPUrBmono oANCERgGZinynsTBnWc+QwSgksJZwo+t07kC7ds2NyuXR6GeA3YcNXKuYMWClUjBOZ/K NR7eugv4Tb6SztMUePXTnb0u2R3hdE3Cuso3pmHzWzGaLVZiDxh7HzWUizEHvzCSAF8q a50w== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; t=1719405171; s=strato-dkim-0003; d=ikherbers.com; h=In-Reply-To:References:Message-ID:Subject:Cc:To:From:Date:Cc:Date: From:Subject:Sender; bh=tG7hVpElqw2u0sDNWhlHnnhJPcxS60HtendWCc+HzVk=; b=U8+gkQ2z6ZXJjg2MB0AT2tmZv8esJfQdFvWlFjv3lovyF8mPkvmCGLOBzzPWZcug0E im/W/y1xNdZWMaa42LCA== X-RZG-AUTH: ":IUwNfkitaf3qOWm2b/jA5tveVwUUcwH3PkiYp6DPxTDDEo4xO9SmHnazdiAbr2/cSH21Hw==" Received: from lambda.localdomain by smtp.strato.de (RZmta 50.5.0 DYNA|AUTH) with ESMTPSA id 507f1505QCWo1bI (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Wed, 26 Jun 2024 14:32:50 +0200 (CEST) Date: Wed, 26 Jun 2024 14:32:50 +0200 From: guix@ikherbers.com Message-ID: References: <434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com> <877cem1hk1.fsf@freakingpenguin.com> <87v823r654.fsf@freakingpenguin.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline In-Reply-To: <87v823r654.fsf@freakingpenguin.com> Content-Transfer-Encoding: 7bit X-Spam-Score: -0.0 (/) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi! On 2024-06-20T11:22:15-0400, Richard Sent wrote: >Hi vicvbcun! > >vicvbcun writes: > >> Hi, >> >> thanks for the review! > >>> I believe CIFS will add a password2 mount option in 6.9.4 [1]. We should >>> check if mount.cifs supports putting that option in the credentials file >>> and match their behavior. If that's too much an ask (Guix's mount.cifs >>> may not be new enough), I think a comment or proactive bug report is >>> appropriate. >> >> Looking at the latest version of mount.cifs[0], it doesn't seem to >> handle `password2' intentionally: Passing `password2' on the command >> line should work, but only because the return value of `parse_opt_token' >> is not checked for `OPT_ERROR'; in a credentials file it is accepted (as >> `parse_cred_line' only checks for a "pass" prefix) but passed as >> `password' instead. >> >> I think that being able to specify `password2' in a credentials file >> makes sense and my patch doesn't forbid it. >> >> If exposing an interface identical to that of `mount.cifs' and >> preserving the exact semantics (e.g `mount.cifs' complains when multiple >> passwords are specified and takes the first one) is the ultimate goal, >> I'd just shell out to `mount.cifs'. I certainly won't implement all the >> idiosyncrasies :). >> >> 0: https://git.samba.org/?p=cifs-utils.git;a=blob;f=mount.cifs.c;h=3b7a6b3c22e8c3b563c7ea92ecb9891fdfac01a6;hb=refs/heads/for-next > >Agreed, emulating mount.cifs in totality is too much. My concern with >divergences in functionality is most users will read mount.cifs >documentation for CIFS mount-options and whatnot, then potentially get >bit when Guix does something different. >In this case the divergence is small and shouldn't cause issues. As long as what Guix offers is a superset, feature requests won't be sent our way :). With the patch, I think there is should be a reasonable match between the behaviour as documented in mount.cifs(8) and that of Guix. >I think a XXX: style comment is appropriate. > >--8<---------------cut here---------------start------------->8--- >;; Read password, user and domain options from file >;; >;; XXX: Unlike mount.cifs this function reads password2 in the >;; credential file and returns it separately from password. >--8<---------------cut here---------------end--------------->8--- done, I have elaborated a bit more though >I wouldn't be surprised if mount.cifs eventually adopts the same >behavior. I can't think of a reason why putting password2 in the >credentials file shouldn't be supported. The `password2' options is seems mainly useful for remounting when a new password is available. Creating a temporary credential file might be considered overcomplicated. I suspect that when developing the feature it just worked when specified on the command line and was forgotten about subsequently. > >-- >Take it easy, >Richard Sent >Making my computer weirder one commit at a time. vicvbcun From unknown Wed Sep 10 10:35:38 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: vicvbcun Subject: bug#71594: closed (Re: [bug#71594] [PATCH v3] file-systems: Allow specifying CIFS credentials in a file.) Message-ID: References: <87ttgcaygg.fsf@gnu.org> <434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com> X-Gnu-PR-Message: they-closed 71594 X-Gnu-PR-Package: guix-patches X-Gnu-PR-Keywords: patch Reply-To: 71594@debbugs.gnu.org Date: Fri, 26 Jul 2024 16:52:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1722012722-21670-1" This is a multi-part message in MIME format... ------------=_1722012722-21670-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #71594: [PATCH] file-systems: Allow specifying CIFS credentials in a file. which was filed against the guix-patches package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 71594@debbugs.gnu.org. --=20 71594: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D71594 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1722012722-21670-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 71594-done) by debbugs.gnu.org; 26 Jul 2024 16:51:51 +0000 Received: from localhost ([127.0.0.1]:39957 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sXOAY-0005d7-TS for submit@debbugs.gnu.org; Fri, 26 Jul 2024 12:51:51 -0400 Received: from eggs.gnu.org ([209.51.188.92]:51718) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sXOAW-0005cs-8g for 71594-done@debbugs.gnu.org; Fri, 26 Jul 2024 12:51:48 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sXOAG-0008S6-8Y; Fri, 26 Jul 2024 12:51:32 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=MIME-Version:Date:References:In-Reply-To:Subject:To: From; bh=S6cc1bUHHcTY5JS+ZBMK6cZQWS9KR2TwT0GjENah804=; b=oJy39/mqW8h8FsXCkQgY jxKz9in5Op47MaUa7Ht0a8SrKTQJaGXj5rXaPnJciSyWcbkHYEtxql9WwPEIRRu0rCugoO5hS5qRE q6BCf3pFc0bc/cPf7YX1STpV3oKkrKiqcmojMHtmTNmG3t871tPXpRaACmvfx3lhyboM4VtDC/Qph IMfHWz6to7haUR6SsmqAM+yVyrQru5EvMw7yhpN+i2HNODBNpcqqdcZa5VlGt2THerRCx+oDkARPK 8FGqLUlLEvqV31iyu7ld0n6D6LzUVo3M52u3Lmkt/SnqI5/b+1NUuAuHb2eD3yZrpeqTBFFxqyZMZ Gq4I/xh/RJs7VQ==; From: =?utf-8?Q?Ludovic_Court=C3=A8s?= To: vicvbcun Subject: Re: [bug#71594] [PATCH v3] file-systems: Allow specifying CIFS credentials in a file. In-Reply-To: <77362216cb1e0bdef5917ea6b97284c63288cb4b.1719352537.git.guix@ikherbers.com> (vicvbcun's message of "Wed, 26 Jun 2024 14:15:28 +0200") References: <434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com> <77362216cb1e0bdef5917ea6b97284c63288cb4b.1719352537.git.guix@ikherbers.com> Date: Fri, 26 Jul 2024 18:51:27 +0200 Message-ID: <87ttgcaygg.fsf@gnu.org> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 71594-done Cc: Richard Sent , 71594-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) vicvbcun skribis: > As files in the store and /etc/fstab are world readable, specifying the > password in the file-system record is suboptimal. To mitigate this, > `mount.cifs' supports reading `username', `password' and `domain' options= from > a file named by the `credentials' or `cred' option. > > * gnu/build/file-systems.scm (mount-file-system): Read mount options from= the > file specified via the `credentials' or `cred' option if specified. > > Change-Id: I786c5da373fc26d45fe7a876c56a8c4854d18532 Applied! Thank you and thanks Richard for reviewing it. Ludo=E2=80=99. ------------=_1722012722-21670-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 16 Jun 2024 15:59:52 +0000 Received: from localhost ([127.0.0.1]:39843 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sIsIJ-0008LJ-Qp for submit@debbugs.gnu.org; Sun, 16 Jun 2024 11:59:52 -0400 Received: from lists.gnu.org ([209.51.188.17]:33422) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1sIsII-0008LC-Ef for submit@debbugs.gnu.org; Sun, 16 Jun 2024 11:59:50 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sIsIG-00010I-MD for guix-patches@gnu.org; Sun, 16 Jun 2024 11:59:48 -0400 Received: from mo4-p00-ob.smtp.rzone.de ([81.169.146.162]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1sIsIE-0003BJ-A0 for guix-patches@gnu.org; Sun, 16 Jun 2024 11:59:48 -0400 ARC-Seal: i=1; a=rsa-sha256; t=1718553582; cv=none; d=strato.com; s=strato-dkim-0002; b=p0TW5zx5R4q1Q8AONH2QkkRUshYArtzv3CEqzCG346zWI0RaAGgRLzRZxxobC+kg8Z 7lBlBmu1AbqCOrwVfLaxEDAUP5mYBR0d0t4p6Fj3tDWCKKVwvcxJYVrbnYhzDkie8i6m Cf7K+bGEB4h2Kr2eERFtlizpHPqF76pCdeOcgRL9g1N4jRH32BQNdU4PnLd/EHwfS/s1 R411IWzXtstBjCA3C/xwitxVuZ9Kac8ELg2jPVbp+uwu9JtECjkQJJfExGlEcHJTedjL /T97+Bu2RbcFAP/e/BcxVa1iFdFC/Y5zFBw+OGh/wi2WFJts5ySi3wNHR0hxBdN/ebIp 12Qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; t=1718553582; s=strato-dkim-0002; d=strato.com; h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender; bh=Z1PYhM6dFbNhd/dv8nfZ3fpnwCkazBcCwFvv241xc8s=; b=tWHzAbjjG7PXdU2FUj4tFPyOAWh0P9IC1UsxD/ysOAWHoVutBdjOWuTEFsA2P1X3Kf JyzBk0K0g0LSAaPwZcFv55XzLvjlcneiguXMooCvBlxSw23Vf6HtdKNiT/vztcghvuK4 SJeyK6540p79YwvZtCfI11vvEh8OrC7Yk6oyCAlHt4R5YsS7aWwxMzTIZRYiogk0DV05 +ptPBxtB/Un0PmGw/jYQxZZeoEUrPDHPDh5I9S4YG78NACTnmh0hpFdHl+o0/Bmk39Rx q94SoUs0j506rWX7Jrksf/HzkNgsf2lbXWCqFpV7AappCHNf24AO5ua5Qy+e5cgKfKLP f5aA== ARC-Authentication-Results: i=1; strato.com; arc=none; dkim=none X-RZG-CLASS-ID: mo00 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1718553582; s=strato-dkim-0002; d=ikherbers.com; h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender; bh=Z1PYhM6dFbNhd/dv8nfZ3fpnwCkazBcCwFvv241xc8s=; b=iusKyacrYdtpUqPtEODrNbrM1UDAFNTZD0KAYrBeA0stWIjfdxJz8dejZfyfAS3Zvt 5HrMttKlTCgKyHP58d4VWcWr7UCUlLQHiE1dhfGdmKXd1rGYDuAKQ1sf43SzYX0jnbcD OUdVmbVchpuf8/6kns2y4ynPrcO2/nRQLUWZO9T7svK45gEpfHcxOpIzN0KSVABz8cCf 7PruKbxmLH6upRClXn5OGFou5zfAANcwFtWrl3D0dXKtHchXNgeA/a061/xlQMlzLWQa ELUOo+xaIwC4cFUimLSFwdEZnje/y5nHCauYhhq4MzMrKL2qhvIwlGJJpcQB7O8aHIQQ Sxiw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; t=1718553582; s=strato-dkim-0003; d=ikherbers.com; h=Message-ID:Date:Subject:To:From:Cc:Date:From:Subject:Sender; bh=Z1PYhM6dFbNhd/dv8nfZ3fpnwCkazBcCwFvv241xc8s=; b=1tm810uNDO8QGyqJ23BZbJg7iIfgloHD7DQcGu67uNkePzZs5uYyhXQYJ1jhbUo0Sv 6t6HD7TvnfAt5+9IUtBg== X-RZG-AUTH: ":IUwNfkitaf3qOWm2b/jA5tveVwUUcwH3PkiYp6DPxTDDEo4xO9elHkvI0r6JTEExTmUrmnl6ykGnvsiYyFkBs3LjhTWRb1/+yDNK" Received: from lambda.localdomain by smtp.strato.de (RZmta 50.5.0 AUTH) with ESMTPSA id 507f1505GFxgUga (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate) for ; Sun, 16 Jun 2024 17:59:42 +0200 (CEST) From: vicvbcun To: guix-patches@gnu.org Subject: [PATCH] file-systems: Allow specifying CIFS credentials in a file. Date: Sun, 16 Jun 2024 17:59:38 +0200 Message-ID: <434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com> X-Mailer: git-send-email 2.45.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="us-ascii" Received-SPF: none client-ip=81.169.146.162; envelope-from=guix@ikherbers.com; helo=mo4-p00-ob.smtp.rzone.de X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) As files in the store and /etc/fstab are world readable, specifying the password in the file-system record is suboptimal. To mitigate this, `mount.cifs' supports reading `username', `password' and `domain' options from a file named by the `credentials' or `cred' option. * gnu/build/file-systems.scm (mount-file-system): Read mount options from the file specified via the `credentials' or `cred' option if specified. Change-Id: I786c5da373fc26d45fe7a876c56a8c4854d18532 --- `read-credential-file' is certainly not very elegant, but it matches what `mount.cifs' does. gnu/build/file-systems.scm | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/gnu/build/file-systems.scm b/gnu/build/file-systems.scm index ae29b36c4e..f0c16453e8 100644 --- a/gnu/build/file-systems.scm +++ b/gnu/build/file-systems.scm @@ -39,6 +39,7 @@ (define-module (gnu build file-systems) #:use-module (ice-9 match) #:use-module (ice-9 rdelim) #:use-module (ice-9 regex) + #:use-module (ice-9 string-fun) #:use-module (system foreign) #:autoload (system repl repl) (start-repl) #:use-module (srfi srfi-1) @@ -1186,6 +1187,28 @@ (define* (mount-file-system fs #:key (root "/root") (string-append "," options) ""))))) + (define (read-credential-file file) + ;; Read password, user and domain options from file + (with-input-from-file file + (lambda () + (let loop + ((next-line (read-line)) + (lines '())) + (if (not (eof-object? next-line)) + (loop (read-line) + (cond + ((string-match "^[[:space:]]*pass" next-line) + ;; mount.cifs escapes commas in the password by doubling + ;; them + (cons (string-replace-substring (string-trim next-line) "," ",,") + lines)) + ((string-match "^[[:space:]]*(user|dom)" next-line) + (cons (string-trim next-line) lines)) + ;; Ignore all other lines. + (else + lines))) + lines))))) + (define (mount-cifs source mount-point type flags options) ;; Source is of form "///" (let* ((regex-match (string-match "//([^/]+)/(.+)" source)) @@ -1194,6 +1217,8 @@ (define* (mount-file-system fs #:key (root "/root") ;; Match ",guest,", ",guest$", "^guest,", or "^guest$," not ;; e.g. user=foo,pass=notaguest (guest? (string-match "(^|,)(guest)($|,)" options)) + (credential-file (and=> (string-match "(^|,)(credentials|cred)=([^,]+)(,|$)" options) + (cut match:substring <> 3))) ;; Perform DNS resolution now instead of attempting kernel dns ;; resolver upcalling. /sbin/request-key does not exist and the ;; kernel hardcodes the path. @@ -1218,6 +1243,10 @@ (define* (mount-file-system fs #:key (root "/root") ;; ignores it. Also, avoiding excess commas ;; when deleting is a pain. (string-append "," options) + "") + (if credential-file + ;; The "credentials" option is ignored too. + (string-join (read-credential-file credential-file) "," 'prefix) ""))))) (let* ((type (file-system-type fs)) base-commit: 2195f70936b7aeec123d4e95345f1007d3a7bb06 -- 2.45.1 ------------=_1722012722-21670-1--