[PATCH] mount.cifs: properly check for mount being in fstab when running setuid root

[Steve Langasek]

Hi Jeff,

On Tue, May 26, 2009 at 07:51:43PM -0400, Jeff Layton wrote:
> Ordinarily, I'd consider this a security problem, but I'm not aware of
> any distro that ships mount.cifs as setuid binary. Therefore, I'm going
> to go ahead and post this publically for discussion.

Both Debian and Ubuntu ship mount.cifs setuid, so I guess you didn't look
very far afield.  But in any event, I don't see why you're claiming that
there's a security problem here - you seem to just be objecting that
unprivileged users can mount CIFS shares on directories they own, but this
is by design.  Or have I overlooked some other security hole?

> This means that it's currently not possible to set up user mounts the
> standard way (by the admin, in /etc/fstab) and simultaneously protect
> from an unprivileged user calling mount.cifs directly to mount a share
> on any directory that that user owns.

And as a result, my understanding is that the former usage is not
supported while the latter usage is.  That may be considered a bug, but I
don't see how it's a security bug.

> Mount helpers are never intended to be called directly, and shouldn't
> offer any "extra" privileges over what /bin/mount allows.

Well, I think this is an unsubstantiated assertion.  I think that would be
*a* valid policy, but clearly not everyone agrees with it or we wouldn't
have the current mount.cifs behavior in question.

I'm not particularly attached to the current behavior personally, but I know
there are users who expect this to work, and none of the alternatives you
propose are a complete replacement.

> Therefore, I'm proposing that we just change this and suggest that people
> look to other solutions (autofs,

autofs doesn't allow for per-user credentials when mounting.

> pam_mount

This presumes that users want to mount the shares at login time.  Obviously
pam_mount is already the better solution for this particular use case, but I
don't think it's a very good substitute for the way users actually use
mount.cifs.

> something new?

Which remains to be written, then. :)

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek at ubuntu.com                                     vorlon at debian.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/samba-technical/attachments/20090531/d9b04823/attachment.bin