From: vicvbcun <guix@ikherbers.com>
To: 71594@debbugs.gnu.org
Subject: [bug#71594] [PATCH] file-systems: Allow specifying CIFS credentials in a file.
Date: Sun, 16 Jun 2024 17:59:38 +0200 [thread overview]
Message-ID: <434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com> (raw)
As files in the store and /etc/fstab are world readable, specifying the
password in the file-system record is suboptimal. To mitigate this,
`mount.cifs' supports reading `username', `password' and `domain' options from
a file named by the `credentials' or `cred' option.
* gnu/build/file-systems.scm (mount-file-system): Read mount options from the
file specified via the `credentials' or `cred' option if specified.
Change-Id: I786c5da373fc26d45fe7a876c56a8c4854d18532
---
`read-credential-file' is certainly not very elegant, but it matches what
`mount.cifs' does.
gnu/build/file-systems.scm | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/gnu/build/file-systems.scm b/gnu/build/file-systems.scm
index ae29b36c4e..f0c16453e8 100644
--- a/gnu/build/file-systems.scm
+++ b/gnu/build/file-systems.scm
@@ -39,6 +39,7 @@ (define-module (gnu build file-systems)
#:use-module (ice-9 match)
#:use-module (ice-9 rdelim)
#:use-module (ice-9 regex)
+ #:use-module (ice-9 string-fun)
#:use-module (system foreign)
#:autoload (system repl repl) (start-repl)
#:use-module (srfi srfi-1)
@@ -1186,6 +1187,28 @@ (define* (mount-file-system fs #:key (root "/root")
(string-append "," options)
"")))))
+ (define (read-credential-file file)
+ ;; Read password, user and domain options from file
+ (with-input-from-file file
+ (lambda ()
+ (let loop
+ ((next-line (read-line))
+ (lines '()))
+ (if (not (eof-object? next-line))
+ (loop (read-line)
+ (cond
+ ((string-match "^[[:space:]]*pass" next-line)
+ ;; mount.cifs escapes commas in the password by doubling
+ ;; them
+ (cons (string-replace-substring (string-trim next-line) "," ",,")
+ lines))
+ ((string-match "^[[:space:]]*(user|dom)" next-line)
+ (cons (string-trim next-line) lines))
+ ;; Ignore all other lines.
+ (else
+ lines)))
+ lines)))))
+
(define (mount-cifs source mount-point type flags options)
;; Source is of form "//<server-ip-or-host>/<service>"
(let* ((regex-match (string-match "//([^/]+)/(.+)" source))
@@ -1194,6 +1217,8 @@ (define* (mount-file-system fs #:key (root "/root")
;; Match ",guest,", ",guest$", "^guest,", or "^guest$," not
;; e.g. user=foo,pass=notaguest
(guest? (string-match "(^|,)(guest)($|,)" options))
+ (credential-file (and=> (string-match "(^|,)(credentials|cred)=([^,]+)(,|$)" options)
+ (cut match:substring <> 3)))
;; Perform DNS resolution now instead of attempting kernel dns
;; resolver upcalling. /sbin/request-key does not exist and the
;; kernel hardcodes the path.
@@ -1218,6 +1243,10 @@ (define* (mount-file-system fs #:key (root "/root")
;; ignores it. Also, avoiding excess commas
;; when deleting is a pain.
(string-append "," options)
+ "")
+ (if credential-file
+ ;; The "credentials" option is ignored too.
+ (string-join (read-credential-file credential-file) "," 'prefix)
"")))))
(let* ((type (file-system-type fs))
base-commit: 2195f70936b7aeec123d4e95345f1007d3a7bb06
--
2.45.1
next reply other threads:[~2024-06-16 16:00 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-16 15:59 vicvbcun [this message]
2024-06-18 13:55 ` [bug#71594] [PATCH] file-systems: Allow specifying CIFS credentials in a file Richard Sent
2024-06-20 13:16 ` vicvbcun
2024-06-20 15:22 ` Richard Sent
2024-06-26 12:32 ` guix
2024-06-20 12:58 ` [bug#71594] [PATCH v2] " vicvbcun
2024-06-26 12:15 ` [bug#71594] [PATCH v3] " vicvbcun
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=434a45cea2afc5e4de5af5b15bc732b7587a979a.1718550930.git.guix@ikherbers.com \
--to=guix@ikherbers.com \
--cc=71594@debbugs.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).