[linux-cifs-client] Error's opening credentials file.
Jeff Layton
jlayton at samba.org
Sat Apr 3 08:16:29 MDT 2010
On Sat, 3 Apr 2010 15:56:40 +0200
Stef Bon <stefbon at gmail.com> wrote:
> Yes, I will do that.
>
> First I would like to know what this libcap(-ng) is for.
> I've read the website, but can you give some explanation?
>
> The website is mentioning the security and the dropping of privileges.
> What does this
> mean in respect to the cifs utils? You're dropping privileges or you
> don't, that's (not the question)
> a decision an app makes. Is an extra library required to do so?
>
>
One way to drop privileges is to setuid() to a non-privileged user.
Another is to just explicitly turn off capabilities that you know the
process doesn't need. This makes running a process as root less of
an "all or nothing" thing. See the capabilities(7) manpage for more
info on them.
When mount.cifs is run by root, we can't really take the first approach
-- that leaves it potentially unable to do things like open cred files
and it's unclear to what user you could setuid anyway.
libcap and libcap-ng are libraries that make it easier to manage
capability sets, but libcap-ng appears to be much simpler to use. The
downside is that libcap-ng is fairly recent and a lot of older distros
don't have it.
--
Jeff Layton <jlayton at samba.org>
More information about the linux-cifs-client
mailing list