making mount.cifs safe to be setuid root
jlayton at samba.org
Mon Feb 15 06:41:10 MST 2010
As many people know, we recently made it so that mount.cifs is built in
such a way that it refuses to be run as a setuid root program. At the
time we did this, I noted that it was intended to be a temporary
measure until we could give mount.cifs a security audit and make it
safer to be run as a setuid root program.
Most of the info about the mount is now stored in predeclared
fixed-length buffers in a struct. The struct is allocated early on in
MAP_SHARED memory. Once the command-line options are parsed and
mount.cifs has chdir'ed into the mountpoint, it fork()'s and drops
privileges. The child process then does the bulk of the option parsing.
The parent just wait()'s until the child exits, checks the exit status
and then just errors out if it's anything but 0.
The patchset is really large and parts of mount.cifs have been heavily
redesigned. I don't really want to post the patchset here (it's 27
patches), but I'd appreciate some review. The set is in the "setuid.1"
branch in my cifs-utils tree:
...review would be appreciated, particularly of the overall design. It
may be easier to just review the final result rather than individual
Jeff Layton <jlayton at samba.org>
More information about the samba-technical