[Samba] how to mount shares as a user without mount.cifs setuid

Jeff Layton jlayton at samba.org
Thu Apr 8 06:12:43 MDT 2010


On Thu, 08 Apr 2010 00:37:30 -0400
Gary Dale <garydale at rogers.com> wrote:

> Jeff Layton wrote:
> > On Wed, 07 Apr 2010 16:44:47 -0400
> > Gary Dale <garydale at rogers.com> wrote:
> >
> >   
> >> I'm running Debian/Squeeze on an AMD64 system. For some reason they have 
> >> recently stopped shipping mount.cifs with the setuid bit set.
> >>     
> >
> > That would be because it was horribly unsecure.
> >
> >   
> >>  Now it 
> >> appears that they have changed the internal settings to prevent it from 
> >> running setuid. This means that I can't define the share in fstab with 
> >> "user" and connect from my Linux user account. Mounting smb/cifs shares 
> >> seems to be blocked except for root.
> >>
> >>     
> >
> > Yes, we added a patch a while back to make it such that mount.cifs
> > would not allow itself to run as a setuid root program unless it that
> > check was compiled out.
> >
> > This was done due to a rather constant stream of "security issues" that
> > were brought about when people installed mount.cifs setuid root. Since
> > it had never been vetted for security, we really had no other choice to
> > communicate that installing it setuid root was unsafe.
> >
> >   
> >> Presumably this has been done for security reasons. However, I can't 
> >> currently do much with my network shares unless I'm root because the 
> >> shares and all the files are owned by root:root. This is despite the 
> >> fstab setting username=<my windows account name> and I get prompted for 
> >> the password. That only seems to be used for connecting to the share, 
> >> not for the permissions.
> >>
> >> My Debian box hasn't joined a domain - I'm just using local accounts. I 
> >> mainly have the domain for some Windows boxes used by my family.
> >>
> >> How do I mount an smb/cifs share as a normal user without running 
> >> mount.cifs? Or if I have to mount the share as root, how can I get 
> >> reasonable access to the shares?
> >>
> >>     
> >
> > You need to set the uid=/gid= options when mounting. When it's run by a
> > non-root user, /bin/mount adds these options automatically.
> >   
> Except that when I run mount as a non-root user, I get the error about 
> mount.cifs not being setuid. This is generated from the user option in 
> fstab. If I remove the user option, I am told that only root can mount 
> the share. Thus my problem that normal users cannot mount smbfs/cifs 
> shares. This appears to be reserved now only for root.
> 

Sorry, I should have been more clear. The uid=/gid= options will just
fix the ownership issues if you do the mount as root. It won't allow the
mount to be performed by a non-privileged user.

> > It's also worthwhile to note that I've recently re-enabled the ability
> > to run mount.cifs as a setuid root program in the latest cifs-utils
> > release:
> >
> > http://linux-cifs.samba.org/cifs-utils/
> >
> > ...you may want to switch to using that instead if you need the ability
> > to use mount.cifs in this way.
> >   
> I would except that Debian/Squeeze has its own repositories that I'd 
> prefer to stick with. Hopefully they'll catch up shortly.
> 
> While the ability to run mount.cifs setuid again is appreciated, how 
> does that fit in with the "horribly unsecure" reasoning that led to it 
> being removed?

The code has been substantially reworked and should be far safer than
it was previously. It does privilege separation now such that the bulk
of the mount process is performed as an unprivileged user, and if
linked against the right libs, with capabilities pruned to the minimum.

At this point, I'd say it's safe enough that we no longer need to
restrict it from being installed setuid root. As always, you should
weigh carefully whether to do so in your own environment and packages.

FWIW, I have no plans to make the Fedora cifs-utils package install
mount.cifs setuid root. Part of the reason for that is that no one has
requested it.

-- 
Jeff Layton <jlayton at samba.org>


More information about the samba mailing list