[linux-cifs-client] setgid and nobrl

David Bell d.bell at soton.ac.uk
Tue Apr 7 06:22:46 GMT 2009


Jeff Layton wrote:
> This is a known bug:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=481233
> 
> It should get fixed in RHEL5.4. If you have someplace non-critical to
> do so, you may want to test out the test kernels on my RH people page
> and see if this problem is resolved there:
> 
> http://people.redhat.com/jlayton/

Hello,

Thanks for this. It is a shame it can't be fixed sooner - I don't think
our users are going to be happy to wait another ~6 months for the next
RHEL update. Shame!

When I get a moment I'll try using a test kernel and see if that fixes
both problems. I'll let you know either way. I don't think it's a good
idea to use those kernels in production though and I'm sure you'd agree.

> CIFS sets the setgid bit but clears the group execute bit in the
> default file_mode. This makes the kernel enforce mandatory locking
> between processes on the same box. I think the idea is that microsoft
> servers only do mandatory locking so CIFS should do the same.
> 
> Personally, I think this is wrong and I've proposed a patch to change
> it and tighten up the default permissions on shares. It's still being
> discussed at this time.

For what it is worth, I agree as well! ;)

> In the meantime, you can probably work around the above bug by setting
> file_mode to something that makes ssh happy.

When users are affected I'll just have to do that.

> Are you using krb5 auth? If so, how are you mounting shares?

We're not using krb5 authentication because when I built the desktops we
were using RHEL 5.1 and there was no support for the cifs.upcall
mechanism to perform Kerberos authentication at that time. I haven't
added it since it became available in 5.3 because it just isn't worth
the extra time to test it out when the current scheme works fine.

Instead we're using a custom PAM module which calls a series of logon
scripts as root. This module has access to the user's password in order
to connect to remote file servers.

Cheers,

David Bell
UNIX Systems Administrator
University of Southampton
+44 (0) 2380592403




More information about the linux-cifs-client mailing list