Sync cifs-utils 2:6.7-1 (main) from Debian unstable (main)

Please sync cifs-utils 2:6.7-1 (main) from Debian unstable (main)

Explanation of the Ubuntu delta and why it can be dropped:
  * Merge from Debian unstable (LP: #1660372). Remaining changes:
    - debian/patches/stat_systemd-ask-password.patch: also check for
      /bin/systemd-ask-password before trying to use systemd's tools.

TL;DR the patch in our delta is to prevent a harmless error message from
popen() leaking through to the console in the case systemd-ask-password binary
does not exist in /bin, in which case the code falls back to using getpass():

ubuntu@61-b1:~$ mount /ds216/downloads
sh: 1: systemd-ask-password: not found
Password for andreas@//ds216.lowtech/downloads: <type pass>
ubuntu@61-b1:~$

It just doesn't seem worth carrying a delta for that. It's best to file
an upstream bug to have it properly fixed, which I did:

https://bugzilla.samba.org/show_bug.cgi?id=12971

Longer story:

When that patch was added by Ubuntu, the upstream code was like this:
"""
    is_systemd_running = (lstat("/sys/fs/cgroup", &a) == 0)
        && (lstat("/sys/fs/cgroup/systemd", &b) == 0)
        && (a.st_dev != b.st_dev);

    if (is_systemd_running) {
(...)
        if (asprintf(&cmd, "/bin/systemd-ask-password \"%s\"", prompt) >= 0) {
            ask_pass_fp = popen (cmd, "re");
            free (cmd);
        }
"""

If popen() can't find the binary, the code falls back to getpass(), but popen
prints an "ugly" error message before:

ubuntu@61-b1:~$ mount /ds216/downloads
sh: 1: systemd-ask-password: not found
Password for andreas@//ds216.lowtech/downloads: <--- no "***" echoed: getpass() was used
ubuntu@61-b1:~$

The ubuntu patch had the effect of not even trying to popen the missing binary,
thus avoiding the error message.

Upstream later changed the code slightly (see bug
https://bugzilla.samba.org/show_bug.cgi?id=10054):
"""
    is_systemd_running = (lstat("/sys/fs/cgroup", &a) == 0)
        && (lstat("/sys/fs/cgroup/systemd", &b) == 0)
        && (a.st_dev != b.st_dev);
(...)
        if (asprintf(&cmd, "systemd-ask-password \"%s\"", prompt) >= 0) {
            ask_pass_fp = popen (cmd, "re");
            free (cmd);
        }
"""

That now searches for systemd-ask-password in $PATH. If it's not found, then
the error message is still printed, and getpass() is again used as a fallback.

The Ubuntu patch is still useful, but not complete now: it should search for
the binary in $PATH to match what popen does.

Perhaps the easiest solution is to just hide the popen error, since it's handled anyway?

- if (asprintf(&cmd, "systemd-ask-password \"%s\"", prompt) >= 0) {
+ if (asprintf(&cmd, "systemd-ask-password \"%s\" 2>/dev/null", prompt) >= 0) {

I filed an upstream bug with that suggestion:
https://bugzilla.samba.org/show_bug.cgi?id=12971

Changelog entries since current artful version 2:6.6-5ubuntu1:

cifs-utils (2:6.7-1) unstable; urgency=medium

  * New upstream release
   - a6662ed: cifs.upcall: switch group IDs when handling an upcall
   - 109c189: cifs.upcall: drop capabilities early in program
   - ed97e4e: cifs.upcall: allow scraping of KRB5CCNAME out of initiating
     task's /proc/<pid>/environ file (Closes: #854607)
   - ec387af4: cifs.upcall: trim even more capabilities
   - 2dcecd2: cifs.upcall: unset $KRB5CCNAME when creating new credcache from
     keytab
   - 9eaa21e: cifs.upcall: don't do env scraping when uid is 0
   - 69949ba: cifs.upcall: use a MEMORY: ccache when instantiating from a keytab
   - and more commits...

 -- Mathieu Parent <email address hidden> Wed, 08 Mar 2017 22:21:54 +0100