[linux-cifs-client] Re: Anyone can write to cifs mounted Samba share !?

[Steve French]

See the description of the cifs mount options "perm" vs. "noperm" in
fs/cifs/README

This is a key issue to understand and eventually make clearer in the
documentation.

Two issues to determine in understanding permission checking:
1) Which smb uid is being used for the request (controlled by the mount
that you use and whether you have turned on 
/proc/fs/cifs/MultiUserMount)
2) Whether perm checks are being done at the client (cifs vfs) and Samba
server (ie when the perm mount option is enabled) or just at the Samba
server (when the noperm option is enabled)

Note that when you use the Linux extensions disabling perm checking may
make sense if the uids on client and server don't match since the uids
used by the client call to generic_permission won't make much sense
against a uid owner of a file that the client does not know about.

If you have multiuser mount enabled (for which I need more feedback and
testing) then if you have two mounts to the server as different users, I
will attempt to use the smb uid on network requests that matches the
local Linux uid you used to mount to that server with, that may be
helpful in conjunction with the above.  One of the pieces of code I need
is a way to use the new kernel event notification calls to call up to
kde or gnome utility to optionally prompt for a password if a user (who
has not smb authenticated) makes a request to access a share mounted by
someone else.

Note that it may be helpful to think about whether user mounts are
allowed when deciding whether to turn on multiusermounts - since it does
not do much good to mount unless you cifs can detect a different uid.