[linux-cifs-client] Re: [PATCH 2/3] cifs: tighten up default
file_mode/dir_mode
Steve French
smfrench at gmail.com
Mon May 25 01:45:39 GMT 2009
On Sun, May 24, 2009 at 5:45 PM, Jeff Layton <jlayton at redhat.com> wrote:
> The current default file mode is 02767 and dir mode is 0777. This is
> extremely "loose". Given that CIFS is a single-user protocol, these
> permissions allow anyone to use the mount -- in effect, giving anyone on
> the machine access to the credentials used to mount the share.
Yes they are probably too loose, although Multiuser mount do work
in some use cases, most use single user mounts. Will be useful to
know when cifsacl code is ready to turn on by default, and whether
that would help. Perhaps the right answer is a default (to Windows)
of something like 0744, but seems like we need more user feedback
from a variety of different users (desktop, enterprise, home etc.)
to decide what the ideal default is.
> Note that this patch also removes the mandatory locking flags from the
> default file_mode. After having looked at how these flags are used by
> the kernel, I don't think that keeping them as the default offers any
> real benefit. That flag combination makes it so that the kernel enforces
> mandatory locking.
This was initially done as much to report to the program that we use
mandatory locking on these files (when mounted to Windows).
Linux doesn't handle "mandatory locking" in the vfs on the client
(which would be redundant with what the server is doing).
We can't do much to turn off Windows byte range locking behavior
but at least this alerts apps that they are getting mandatory
locking on these inodes. If no app ever checks this bit, and the bit
is obsolete, we could remove it.
--
Thanks,
Steve
More information about the linux-cifs-client
mailing list