[linux-cifs-client] Error's opening credentials file.
Jeff Layton
jlayton at samba.org
Sun Apr 4 14:56:15 MDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sun, 4 Apr 2010 18:40:10 +0200
Stef Bon <stefbon at gmail.com> wrote:
> 2010/4/4 Jeff Layton <jlayton at samba.org>:
> > On Sat, 3 Apr 2010 22:42:39 +0200
> > Stef Bon <stefbon at gmail.com> wrote:
> >
> >> Thanks for the explenation.
> >>
> >> I've got the recent dev. sources with git, and see the differences in
> >> the mount.cifs.c file.
> >> (line 325: #ifdef HAVE_LIBCAP)
> >>
> >> MY first analyse was wrong, that the function access gave an error,
> >> but what has changed?
> >
> > The child mount.cifs process no longer had CAP_DAC_OVERRIDE.
> >
> >> Was the implementation of libcap not right, and thus dropping
> >> privileges in a wrong manner?
> >
> > It was dropping CAP_DAC_OVERRIDE which is needed for root to be able to
> > open files to which it doesn't have explicit permission.
> >
>
> OK, but then the system call fopen (and maybe access?) looks at this
> value CAP_DAC_OVERRIDE,
> but to be frankly, I've never heard of this before. (and I'm
> developing fs with FUSE..)
>
> Can you please explain how these system calls look at the cap values/settings?
>
Not any better than the capabilities(7) manpage can.
...actually though in reading the manpage, I probably don't need
CAP_DAC_OVERRIDE even. CAP_DAC_READ_SEARCH would probably be fine for
this...hmm.
> When your app is not using the libcap, the cap values are not set. It
> still works.
>
Yes. That's because it doesn't drop any capabilities. It just runs with
more privileges than are necessary to perform the mount.
- --
Jeff Layton <jlayton at samba.org>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
iEYEARECAAYFAku4/PMACgkQyP0gxQMdzIA1VQCdHONVWvNHqZ5eERwGYS0Y7FdW
P9cAn3Yil1XRKv8AufMeu+otKYnY7yZF
=O8N7
-----END PGP SIGNATURE-----
More information about the linux-cifs-client
mailing list