[linux-cifs-client] Error's opening credentials file.

Stef Bon stefbon at gmail.com
Sat Apr 3 14:42:39 MDT 2010


Thanks for the explenation.

I've got the recent dev. sources with git, and see the differences in
the mount.cifs.c file.
(line 325: #ifdef HAVE_LIBCAP)

MY first analyse was wrong, that the function access gave an error,
but what has changed?
Was the implementation of libcap not right, and thus dropping
privileges in a wrong manner?
But how is it dropping privileges if it is run as root? To what
account it's changing then?

Stef
2010/4/3 Jeff Layton <jlayton at samba.org>:
> On Sat, 3 Apr 2010 15:56:40 +0200
> Stef Bon <stefbon at gmail.com> wrote:
>
>> Yes, I will do that.
>>
>> First I would like to know what this libcap(-ng) is for.
>> I've read the website, but can you give some explanation?
>>
>> The website is mentioning the security and the dropping of privileges.
>> What does this
>> mean in respect to the cifs utils? You're dropping privileges or you
>> don't, that's (not the question)
>> a decision an app makes. Is an extra library required to do so?
>>
>>
>
> One way to drop privileges is to setuid() to a non-privileged user.
> Another is to just explicitly turn off capabilities that you know the
> process doesn't need. This makes running a process as root less of
> an "all or nothing" thing. See the capabilities(7) manpage for more
> info on them.
>
> When mount.cifs is run by root, we can't really take the first approach
> -- that leaves it potentially unable to do things like open cred files
> and it's unclear to what user you could setuid anyway.
>
> libcap and libcap-ng are libraries that make it easier to manage
> capability sets, but libcap-ng appears to be much simpler to use. The
> downside is that libcap-ng is fairly recent and a lot of older distros
> don't have it.
>
> --
> Jeff Layton <jlayton at samba.org>
>


More information about the linux-cifs-client mailing list