GNU bug report logs - #71594
[PATCH] file-systems: Allow specifying CIFS credentials in a file.

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: vicvbcun <guix <at> ikherbers.com>
Subject: bug#71594: closed (Re: [bug#71594] [PATCH v3] file-systems: Allow
 specifying CIFS credentials in a file.)
Date: Fri, 26 Jul 2024 16:52:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#71594: [PATCH] file-systems: Allow specifying CIFS credentials in a file.

which was filed against the guix-patches package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 71594 <at> debbugs.gnu.org.

-- 
71594: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=71594
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Ludovic Courtès <ludo <at> gnu.org>
To: vicvbcun <guix <at> ikherbers.com>
Cc: Richard Sent <richard <at> freakingpenguin.com>, 71594-done <at> debbugs.gnu.org
Subject: Re: [bug#71594] [PATCH v3] file-systems: Allow specifying CIFS
 credentials in a file.
Date: Fri, 26 Jul 2024 18:51:27 +0200

vicvbcun <guix <at> ikherbers.com> skribis:

> As files in the store and /etc/fstab are world readable, specifying the
> password in the file-system record is suboptimal.  To mitigate this,
> `mount.cifs' supports reading `username', `password' and `domain' options from
> a file named by the `credentials' or `cred' option.
>
> * gnu/build/file-systems.scm (mount-file-system): Read mount options from the
> file specified via the `credentials' or `cred' option if specified.
>
> Change-Id: I786c5da373fc26d45fe7a876c56a8c4854d18532

Applied! Thank you and thanks Richard for reviewing it.

Ludo’.

[Message part 3 (message/rfc822, inline)]

From: vicvbcun <guix <at> ikherbers.com>
To: guix-patches <at> gnu.org
Subject: [PATCH] file-systems: Allow specifying CIFS credentials in a file.
Date: Sun, 16 Jun 2024 17:59:38 +0200

As files in the store and /etc/fstab are world readable, specifying the
password in the file-system record is suboptimal.  To mitigate this,
`mount.cifs' supports reading `username', `password' and `domain' options from
a file named by the `credentials' or `cred' option.

* gnu/build/file-systems.scm (mount-file-system): Read mount options from the
file specified via the `credentials' or `cred' option if specified.

Change-Id: I786c5da373fc26d45fe7a876c56a8c4854d18532
---
`read-credential-file' is certainly not very elegant, but it matches what
`mount.cifs' does.

 gnu/build/file-systems.scm | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/gnu/build/file-systems.scm b/gnu/build/file-systems.scm
index ae29b36c4e..f0c16453e8 100644
--- a/gnu/build/file-systems.scm
+++ b/gnu/build/file-systems.scm
@@ -39,6 +39,7 @@ (define-module (gnu build file-systems)
   #:use-module (ice-9 match)
   #:use-module (ice-9 rdelim)
   #:use-module (ice-9 regex)
+  #:use-module (ice-9 string-fun)
   #:use-module (system foreign)
   #:autoload   (system repl repl) (start-repl)
   #:use-module (srfi srfi-1)
@@ -1186,6 +1187,28 @@ (define* (mount-file-system fs #:key (root "/root")
                                 (string-append "," options)
                                 "")))))
 
+  (define (read-credential-file file)
+    ;; Read password, user and domain options from file
+    (with-input-from-file file
+      (lambda ()
+        (let loop
+            ((next-line (read-line))
+             (lines '()))
+          (if (not (eof-object? next-line))
+              (loop (read-line)
+                    (cond
+                     ((string-match "^[[:space:]]*pass" next-line)
+                      ;; mount.cifs escapes commas in the password by doubling
+                      ;; them
+                      (cons (string-replace-substring (string-trim next-line) "," ",,")
+                            lines))
+                     ((string-match "^[[:space:]]*(user|dom)" next-line)
+                      (cons (string-trim next-line) lines))
+                     ;; Ignore all other lines.
+                     (else
+                      lines)))
+              lines)))))
+
   (define (mount-cifs source mount-point type flags options)
     ;; Source is of form "//<server-ip-or-host>/<service>"
     (let* ((regex-match (string-match "//([^/]+)/(.+)" source))
@@ -1194,6 +1217,8 @@ (define* (mount-file-system fs #:key (root "/root")
            ;; Match ",guest,", ",guest$", "^guest,", or "^guest$," not
            ;; e.g. user=foo,pass=notaguest
            (guest? (string-match "(^|,)(guest)($|,)" options))
+           (credential-file (and=> (string-match "(^|,)(credentials|cred)=([^,]+)(,|$)" options)
+                                   (cut match:substring <> 3)))
            ;; Perform DNS resolution now instead of attempting kernel dns
            ;; resolver upcalling. /sbin/request-key does not exist and the
            ;; kernel hardcodes the path.
@@ -1218,6 +1243,10 @@ (define* (mount-file-system fs #:key (root "/root")
                                 ;; ignores it. Also, avoiding excess commas
                                 ;; when deleting is a pain.
                                 (string-append "," options)
+                                "")
+                            (if credential-file
+                                ;; The "credentials" option is ignored too.
+                                (string-join (read-credential-file credential-file) "," 'prefix)
                                 "")))))
 
   (let* ((type    (file-system-type fs))

base-commit: 2195f70936b7aeec123d4e95345f1007d3a7bb06
-- 
2.45.1

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.