[PATCH] mount.cifs: properly check for mount being in fstab
when running setuid root
Steve Langasek
vorlon at debian.org
Mon Jun 1 01:34:18 GMT 2009
Hi Jeff,
On Tue, May 26, 2009 at 07:51:43PM -0400, Jeff Layton wrote:
> Ordinarily, I'd consider this a security problem, but I'm not aware of
> any distro that ships mount.cifs as setuid binary. Therefore, I'm going
> to go ahead and post this publically for discussion.
Both Debian and Ubuntu ship mount.cifs setuid, so I guess you didn't look
very far afield. But in any event, I don't see why you're claiming that
there's a security problem here - you seem to just be objecting that
unprivileged users can mount CIFS shares on directories they own, but this
is by design. Or have I overlooked some other security hole?
> This means that it's currently not possible to set up user mounts the
> standard way (by the admin, in /etc/fstab) and simultaneously protect
> from an unprivileged user calling mount.cifs directly to mount a share
> on any directory that that user owns.
And as a result, my understanding is that the former usage is not
supported while the latter usage is. That may be considered a bug, but I
don't see how it's a security bug.
> Mount helpers are never intended to be called directly, and shouldn't
> offer any "extra" privileges over what /bin/mount allows.
Well, I think this is an unsubstantiated assertion. I think that would be
*a* valid policy, but clearly not everyone agrees with it or we wouldn't
have the current mount.cifs behavior in question.
I'm not particularly attached to the current behavior personally, but I know
there are users who expect this to work, and none of the alternatives you
propose are a complete replacement.
> Therefore, I'm proposing that we just change this and suggest that people
> look to other solutions (autofs,
autofs doesn't allow for per-user credentials when mounting.
> pam_mount
This presumes that users want to mount the shares at login time. Obviously
pam_mount is already the better solution for this particular use case, but I
don't think it's a very good substitute for the way users actually use
mount.cifs.
> something new?
Which remains to be written, then. :)
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
Ubuntu Developer http://www.debian.org/
slangasek at ubuntu.com vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/samba-technical/attachments/20090531/d9b04823/attachment.bin
More information about the samba-technical
mailing list