smbfs entry in fstab for users...

Urban Widmark urban at svenskatest.se
Thu Sep 28 08:54:14 GMT 2000


On Wed, 27 Sep 2000, Michael Hieb wrote:

> and here is what happens if any user but root or the owner of
> /local/image tries to mount
> [hieb at lnxwp1 hieb]$ mount /local/image
> [hieb at lnxwp1 hieb]$ cannot mount on /local/image: Operation not permitted
> smbmnt failed: 1
> mount.smbfs: ioctl failed, res=-1
> Could not umount /local/image: Device or resource busy

[smbmount blocking itself in the error handling ...]

> and the directry in question...
> [hieb at lnxwp1 hieb]$ ls -lda /local/image
> drwxrwxrwx   2 nobody   users        1024 Sep 16  1999 /local/image
> [hieb at lnxwp1 hieb]$ ls -la /local/image
> total 2
> drwxrwxrwx   2 nobody   users        1024 Sep 16  1999 .
> drwxrwxrwx  10 root     root         1024 Sep 22 17:56 ..
> [hieb at lnxwp1 hieb]$
> 
> 
> If this is in the manual, I apologize in advance, I've looked and not
> found anything. If you know please advise, it would make things very
> convenient.

It is in the man page for smbmnt:
	"It checks whether the user has write permissions on the mount
	 point and then mounts the directory."
Which is perhaps not the whole truth, it also checks ownership. "write
permissions" suggests that it is an access check.


smbmnt must be setuid for this to work. smbmnt is a mount program and must
do some authorization checks since it "bypasses" what the normal mount
command does. mount_ok in source/client/smbmnt.c is responsible for this.
It contains this snippet:

        if ((getuid() != 0) && 
            ((getuid() != st.st_uid) || 
             ((st.st_mode & S_IRWXU) != S_IRWXU))) {
		/* disallow mount */
	}
	/* allow mount */

A simple and bad hack would be to remove that check.
(Allows anyone to mount a smbfs share anywhere in the fs, like
 replace /usr/bin)

A better hack might be to allow someone with the proper group access
(users in this case) to mount.
(Allows anyone to mount a smbfs share anywhere in the fs where they
 have user or group write access)

A good hack might be to do the same checks in smbmnt that mount normally
does (whatever that is ... disallow all non-root mounts unless in fstab
with user option? or perhaps add a list of allowed dirs to smb.conf).


Another option might be to get autofs to do the mounting, possibly using
different autofs maps (with different uid or gid parameters) depending on
who is requesting the mounting. I don't know how to do that in a nice
way but I think it is possible.


/Urban





More information about the samba mailing list