[linux-cifs-client] setgid and nobrl

Mon Apr 6 14:01:25 GMT 2009

On Mon, 6 Apr 2009 14:29:34 +0100
David Bell <d.bell at soton.ac.uk> wrote:

> Hello,
> 
> Client: Red Hat Enterprise Linux 5.3 with cifs 1.54RH
> Server: Red Hat Enterprise Linux 5.3 with Samba 3.0.33-3.7
> 
> Problem A: Running Perl scripts on a CIFS mounted directory results in:
> 
> Setuid/gid script is writable by world.
> 
> Even though ls doesn't suggest this is the case.
> 
> Problem B: Using SSH public key authentication from a home directory
> mounted via CIFS leads to:
> 
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> 
> Permissions 0767 for '/home/db2z07/.ssh/id_rsa' are too open.
> It is recommended that your private key files are NOT accessible by others.
> 
> This private key will be ignored.
> bad permissions: ignore key: /home/db2z07/.ssh/id_rsa
> 
> Even though the permissions are not set to 0767.
> 

This is a known bug:

https://bugzilla.redhat.com/show_bug.cgi?id=481233

It should get fixed in RHEL5.4. If you have someplace non-critical to
do so, you may want to test out the test kernels on my RH people page
and see if this problem is resolved there:

http://people.redhat.com/jlayton/

> Both problems appear to be caused by cifs setting "setgid" as described
> here:
> 
> http://lists.samba.org/archive/linux-cifs-client/2007-December/002519.html
> 
> Why does cifs set the setgid flag? It is causing applications such as
> Perl and SSH to break. When I set the mount flags "file_mode" and
> "dir_mode" the problem goes away. However, I want CIFS negotiated Unix
> Extensions and the ability for the user to set permissions and read
> normal Unix permissions. Using file_mode and dir_mode appears to
> undermine the whole point of Unix extensions, or am I wrong?
> 
> Is there a way to prevent cifs from setting the setgid flag, especially
> since I'm using "nobrl" which means I don't want mandatory locking
> turned on at all. So, in essence, can "nobrl" be modified to not
> populate setgid? Is there another workaround I can apply in the short term?
> 

CIFS sets the setgid bit but clears the group execute bit in the
default file_mode. This makes the kernel enforce mandatory locking
between processes on the same box. I think the idea is that microsoft
servers only do mandatory locking so CIFS should do the same.

Personally, I think this is wrong and I've proposed a patch to change
it and tighten up the default permissions on shares. It's still being
discussed at this time.

In the meantime, you can probably work around the above bug by setting
file_mode to something that makes ssh happy.

> Background to this problem: I'm rolling out ~100 RHEL 5.3 Linux Desktops
> for staff and students at the University of Southampton. To avoid
> backing up every workstation we want /home/$USER/ mounted from a
> filestore. After failing to make NFS4 work with Active Directory, we
> picked CIFS/Samba instead for mounting /home/$USER/.
> 

Are you using krb5 auth? If so, how are you mounting shares?

-- 
Jeff Layton <jlayton at redhat.com>