Ondrej Holy · Pawan Chitrakar · Quentin PAGÈS · Ondrej Holy · Ondrej Holy · Dušan Kazik
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+fedora:
+    image:
+        name: registry.gitlab.gnome.org/gnome/gvfs:latest
+        entrypoint: ["/bin/sh", "-c"]
+    tags:
+        - x86_64
+        - ipv6
+    script:
+        - meson -Dinstalled_tests=true -Ddevel_utils=true -Dman=true -Dafc=true --prefix /usr --werror build
+        - sudo ninja -C build install
+        - GIO_USE_VOLUME_MONITOR=unix gnome-desktop-testing-runner gvfs
+    allow_failure: true
+
+update-image:
+    variables:
+         STORAGE_DRIVER: vfs
+         BUILDAH_FORMAT: docker
+         BUILDAH_ISOLATION: chroot
+    image: registry.fedoraproject.org/fedora:33
+    script:
+        - dnf install -y buildah runc
+        - sed -i '/^mountopt =.*/d' /etc/containers/storage.conf
+        - buildah bud --tag $CI_REGISTRY_IMAGE -f .gitlab-ci/Dockerfile
+        - buildah tag $CI_REGISTRY_IMAGE "$CI_REGISTRY_IMAGE:v$CI_JOB_ID"
+        - buildah login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
+        - buildah push $CI_REGISTRY_IMAGE
+        - buildah push "$CI_REGISTRY_IMAGE:v$CI_JOB_ID"
+    when: manual
+    only:
+        variables:
+            - $CI_PROJECT_NAMESPACE == "GNOME"
+
--- a/.gitlab-ci/Dockerfile
+++ b/.gitlab-ci/Dockerfile
+FROM fedora:rawhide
+
+RUN dnf install -y --nogpg avahi-devel avahi-glib-devel dbus-glib-devel docbook-style-xsl fuse3-devel gcc gcr-devel gettext-devel glib2-devel gnome-online-accounts-devel gsettings-desktop-schemas-devel libarchive-devel libbluray-devel libcap-devel libcdio-paranoia-devel libexif-devel libgcrypt-devel libgphoto2-devel libgudev-devel libimobiledevice-devel libmtp-devel libnfs-devel libplist-devel libsecret-devel libsmbclient-devel libsoup-devel libtalloc-devel libudisks2-devel libusb-devel libxslt-devel meson openssh-clients pkgconf-pkg-config polkit-devel systemd-devel gnome-desktop-testing dbus-daemon python3-twisted python3-gobject procps-ng bzip2 httpd mod_ssl openssh-server passwd \
+ && dnf clean all
+
+RUN dnf install -y --nogpg --best elfutils-libelf-devel gcc gcc-c++ gdbm gettext git glibc-devel glibc-headers gtk-doc libattr-devel libffi-devel libmount-devel libselinux-devel ninja-build pcre-devel python3-devel systemtap-sdt-devel zlib-devel \
+ && dnf clean all \
+ && git clone --depth 1 https://gitlab.gnome.org/GNOME/glib.git \
+ && cd glib \
+ && meson . _build --prefix=/usr \
+ && ninja -C _build \
+ && ninja -C _build install \
+ && cd .. \
+ && rm -rf glib
+
+RUN dnf install -y --nogpg uhttpmock-devel gobject-introspection-devel liboauth-devel vala json-glib-devel \
+ && dnf clean all \
+ && git clone --depth 1 https://gitlab.gnome.org/GNOME/libgdata.git \
+ && cd libgdata \
+ && meson . _build --prefix=/usr \
+ && ninja -C _build \
+ && ninja -C _build install \
+ && cd .. \
+ && rm -rf libgdata
+
+RUN sed -i -e 's/# %wheel/%wheel/' /etc/sudoers
+RUN useradd -G wheel -m user
+RUN passwd -d user
+USER user
+WORKDIR /home/user
+ENV USER user
+ENV XDG_RUNTIME_DIR /home/user
+
+RUN ssh-keygen -t rsa -q -N "" -f ~/.ssh/id_rsa
--- a/NEWS
+++ b/NEWS
+Major changes in 1.48.2
+=======================
+* smb: Rework anonymous handling to avoid EINVAL (Ondrej Holy)
+* smb: Ignore EINVAL for kerberos/ccache login (Ondrej Holy)
+* sftp: Adapt on new OpenSSH password prompts (Ondrej Holy)
+* build: Remove incorrect i18n.merge_file argument to fix build (Ondrej Holy)
+* Translation updates
+
 Major changes in 1.48.1
 =======================
 * build: Use install prefix in systemd files paths

--- a/daemon/gvfsbackendsftp.c
+++ b/daemon/gvfsbackendsftp.c
@@ -1106,10 +1106,10 @@ handle_login (GVfsBackend *backend,
      if (g_str_has_suffix (buffer, "password: ") ||
          g_str_has_suffix (buffer, "Password: ") ||
          g_str_has_suffix (buffer, "Password:")  ||
-          g_str_has_prefix (buffer, "Password for ") ||
-          g_str_has_prefix (buffer, "Enter Kerberos password") ||
-          g_str_has_prefix (buffer, "Enter passphrase for key") ||
-          g_str_has_prefix (buffer, "Enter PASSCODE"))
+          strstr (buffer, "Password for ") ||
+          strstr (buffer, "Enter Kerberos password") ||
+          strstr (buffer, "Enter passphrase for key") ||
+          strstr (buffer, "Enter PASSCODE"))
        {
          gboolean aborted = FALSE;
          gsize bytes_written;
@@ -1265,8 +1265,8 @@ handle_login (GVfsBackend *backend,
              break;
            }
        }
-      else if (g_str_has_prefix (buffer, "Verification code") ||
-               g_str_has_prefix (buffer, "One-time password"))
+      else if (strstr (buffer, "Verification code") ||
+               strstr (buffer, "One-time password"))
        {
          gchar *verification_code = NULL;
          gboolean aborted = FALSE;

--- a/daemon/gvfsbackendsmb.c
+++ b/daemon/gvfsbackendsmb.c
@@ -80,7 +80,6 @@ struct _GVfsBackendSmb
  int mount_try;
  gboolean mount_try_again;
  gboolean mount_cancelled;
-  gboolean use_anonymous;
 	
  gboolean password_in_keyring;
  GPasswordSave password_save;
@@ -215,13 +214,6 @@ auth_callback (SMBCCTX *context,
      backend->mount_try_again = TRUE;
      g_debug ("auth_callback - ccache pass\n");
    }
-  else if (backend->use_anonymous)
-    {
-      /* Try again if anonymous login fails */
-      backend->use_anonymous = FALSE;
-      backend->mount_try_again = TRUE;
-      g_debug ("auth_callback - anonymous login pass\n");
-    }
  else
    {
      gboolean in_keyring = FALSE;
@@ -304,10 +296,13 @@ auth_callback (SMBCCTX *context,
      /* Try again if this fails */
      backend->mount_try_again = TRUE;

+      smbc_setOptionNoAutoAnonymousLogin (backend->smb_context,
+                                          !anonymous);
+
      if (anonymous)
        {
-          backend->use_anonymous = TRUE;
          backend->password_save = FALSE;
+          g_debug ("auth_callback - anonymous enabled\n");
        }
      else
        {
@@ -513,7 +508,13 @@ do_mount (GVfsBackend *backend,
      if (res == 0)
        break;

-      if (op_backend->mount_cancelled || (errsv != EACCES && errsv != EPERM))
+      if (errsv == EINVAL && op_backend->mount_try <= 1 && op_backend->user == NULL)
+        {
+          /* EINVAL is "expected" when kerberos/ccache is misconfigured, see:
+           * https://gitlab.gnome.org/GNOME/gvfs/-/issues/611
+           */
+        }
+      else if (op_backend->mount_cancelled || (errsv != EACCES && errsv != EPERM))
        {
          g_debug ("do_mount - (errno != EPERM && errno != EACCES), cancelled = %d, breaking\n", op_backend->mount_cancelled);
          break;
@@ -529,12 +530,6 @@ do_mount (GVfsBackend *backend,
          smbc_setOptionFallbackAfterKerberos (op_backend->smb_context, 1);
        }

-      /* If the AskPassword reply requested anonymous login, enable the
-       * anonymous fallback and try again.
-       */
-      smbc_setOptionNoAutoAnonymousLogin (op_backend->smb_context,
-                                          !op_backend->use_anonymous);
-
      op_backend->mount_try ++;
    }
  while (op_backend->mount_try_again);

--- a/daemon/gvfsbackendsmbbrowse.c
+++ b/daemon/gvfsbackendsmbbrowse.c
@@ -967,8 +967,14 @@ do_mount (GVfsBackend *backend,
             uri, op_backend->mount_try, dir, op_backend->mount_cancelled,
             errsv, g_strerror (errsv));

-      if (dir == NULL && 
-          (op_backend->mount_cancelled || (errsv != EPERM && errsv != EACCES)))
+      if (errsv == EINVAL && op_backend->mount_try == 0 && op_backend->user == NULL)
+        {
+          /* EINVAL is "expected" when kerberos is misconfigured, see:
+           * https://gitlab.gnome.org/GNOME/gvfs/-/issues/611
+           */
+        }
+      else if (dir == NULL &&
+               (op_backend->mount_cancelled || (errsv != EPERM && errsv != EACCES)))
        {
          g_debug ("do_mount - (errno != EPERM && errno != EACCES), cancelled = %d, breaking\n", op_backend->mount_cancelled);
 	  break;

--- a/daemon/meson.build
+++ b/daemon/meson.build
@@ -366,7 +366,6 @@ if enable_admin
  )

  i18n.merge_file(
-    policy,
    input: policy_in,
    output: '@BASENAME@',
    po_dir: po_dir,
@@ -374,8 +373,15 @@ if enable_admin
    install_dir: gvfs_datadir / 'polkit-1/actions',
  )

-  install_data(
-    gvfs_namespace + '.file-operations.rules',
+  rules = gvfs_namespace + '.file-operations.rules'
+
+  rules_conf = configuration_data()
+  rules_conf.set('PRIVILEGED_GROUP', privileged_group)
+
+  configure_file(
+    input: rules + '.in',
+    output: rules,
+    configuration: rules_conf,
    install_dir: gvfs_datadir / 'polkit-1/rules.d',
  )
 endif

--- a/daemon/mount.c
+++ b/daemon/mount.c
@@ -415,6 +415,30 @@ child_watch_cb (GPid pid,
                gint status,
                gpointer user_data)
 {
+  MountData *data = user_data;
+  GError *error = NULL;
+  gint code = 0;
+
+  if (!g_spawn_check_exit_status (status, &error))
+    {
+      if (error->domain == G_SPAWN_EXIT_ERROR)
+        code = error->code;
+
+      g_clear_error (&error);
+    }
+
+  /* GVfs daemons always exit with 0, but gvfsd-admin is spawned over pkexec,
+   * which can fail when the authentication dialog is dismissed for example.
+   */
+  if (code == 126 || code == 127)
+    {
+      error = g_error_new_literal (G_IO_ERROR,
+                                   G_IO_ERROR_PERMISSION_DENIED,
+                                   _("Permission denied"));
+      mount_finish (data, error);
+      g_error_free (error);
+    }
+
  g_spawn_close_pid (pid);
 }

@@ -485,7 +509,7 @@ spawn_mount (MountData *data)
        }
      else
        {
-          g_child_watch_add (pid, child_watch_cb, NULL);
+          g_child_watch_add (pid, child_watch_cb, data);
        }

      g_strfreev (argv);

--- a/daemon/org.gtk.vfs.file-operations.rules
+++ b/daemon/org.gtk.vfs.file-operations.rules
-// Allows users belonging to wheel group to start gvfsd-admin without
+// Allows users belonging to privileged group to start gvfsd-admin without
 // authorization. This prevents redundant password prompt when starting
 // gvfsd-admin. The gvfsd-admin causes another password prompt to be shown
 // for each client process using the different action id and for the subject
@@ -7,7 +7,7 @@ polkit.addRule(function(action, subject) {
        if ((action.id == "org.gtk.vfs.file-operations-helper") &&
            subject.local &&
            subject.active &&
-            subject.isInGroup ("wheel")) {
+            subject.isInGroup ("@PRIVILEGED_GROUP@")) {
            return polkit.Result.YES;
        }
 });
--- a/meson.build
+++ b/meson.build
 project(
  'gvfs', 'c',
-  version: '1.48.1',
+  version: '1.48.2',
  license: 'LGPL2+',
  default_options: 'buildtype=debugoptimized',
  meson_version: '>= 0.53.0',
@@ -299,6 +299,7 @@ endif
 config_h.set('HAVE_GCR', enable_gcr)

 # *** Check if we should build with admin backend ***
+privileged_group = get_option('privileged_group')
 enable_admin = get_option('admin')
 if enable_admin
  libcap_dep = dependency('libcap')
@@ -493,7 +494,8 @@ meson.add_install_script(
 summary({
  'systemduserunitdir': systemd_systemduserunitdir,
  'tmpfilesdir': systemd_tmpfilesdir,
-}, section: 'Directories')
+  'privileged_group': privileged_group,
+}, section: 'Configuration')

 summary({
  'admin': enable_admin,

--- a/meson_options.txt
+++ b/meson_options.txt
 option('systemduserunitdir', type: 'string', value: '', description: 'custom directory for systemd user units, or \'no\' to disable')
 option('tmpfilesdir', type: 'string', value: '', description: 'custom directory for tmpfiles.d config files, or \'no\' to disable')
+option('privileged_group', type: 'string', value: 'wheel', description: 'custom name for group that has elevated permissions')

 option('admin', type: 'boolean', value: true, description: 'build with admin backend')
 option('afc', type: 'boolean', value: true, description: 'build with afc backend and volume monitor')

--- a/po/da.po
+++ b/po/da.po
--- a/po/eu.po
+++ b/po/eu.po
--- a/po/fa.po
+++ b/po/fa.po
--- a/po/he.po
+++ b/po/he.po
--- a/po/hr.po
+++ b/po/hr.po
--- a/po/ne.po
+++ b/po/ne.po
--- a/po/oc.po
+++ b/po/oc.po
--- a/po/ru.po
+++ b/po/ru.po
--- a/po/sk.po
+++ b/po/sk.po