[linux-cifs-client] setgid and nobrl
David Bell
d.bell at soton.ac.uk
Mon Apr 6 13:29:34 GMT 2009
Hello,
Client: Red Hat Enterprise Linux 5.3 with cifs 1.54RH
Server: Red Hat Enterprise Linux 5.3 with Samba 3.0.33-3.7
Problem A: Running Perl scripts on a CIFS mounted directory results in:
Setuid/gid script is writable by world.
Even though ls doesn't suggest this is the case.
Problem B: Using SSH public key authentication from a home directory
mounted via CIFS leads to:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0767 for '/home/db2z07/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /home/db2z07/.ssh/id_rsa
Even though the permissions are not set to 0767.
Both problems appear to be caused by cifs setting "setgid" as described
here:
http://lists.samba.org/archive/linux-cifs-client/2007-December/002519.html
Why does cifs set the setgid flag? It is causing applications such as
Perl and SSH to break. When I set the mount flags "file_mode" and
"dir_mode" the problem goes away. However, I want CIFS negotiated Unix
Extensions and the ability for the user to set permissions and read
normal Unix permissions. Using file_mode and dir_mode appears to
undermine the whole point of Unix extensions, or am I wrong?
Is there a way to prevent cifs from setting the setgid flag, especially
since I'm using "nobrl" which means I don't want mandatory locking
turned on at all. So, in essence, can "nobrl" be modified to not
populate setgid? Is there another workaround I can apply in the short term?
Background to this problem: I'm rolling out ~100 RHEL 5.3 Linux Desktops
for staff and students at the University of Southampton. To avoid
backing up every workstation we want /home/$USER/ mounted from a
filestore. After failing to make NFS4 work with Active Directory, we
picked CIFS/Samba instead for mounting /home/$USER/.
Cheers,
David Bell
UNIX Systems Administrator
University of Southampton
+44 (0) 2380592403
More information about the linux-cifs-client
mailing list