[Samba] how to mount shares as a user without mount.cifs setuid
Gary Dale
garydale at rogers.com
Thu Apr 8 10:07:05 MDT 2010
Nico Kadel-Garcia wrote:
> On Thu, Apr 8, 2010 at 12:45 AM, Chris Smith <smb_77 at chrissmith.org> wrote:
>
>> On Wed, Apr 7, 2010 at 9:39 PM, Jeff Layton <jlayton at samba.org> wrote:
>>
>>> Yes, we added a patch a while back to make it such that mount.cifs
>>> would not allow itself to run as a setuid root program unless it that
>>> check was compiled out.
>>>
>>> This was done due to a rather constant stream of "security issues" that
>>> were brought about when people installed mount.cifs setuid root. Since
>>> it had never been vetted for security, we really had no other choice to
>>> communicate that installing it setuid root was unsafe.
>>>
>> Not the place for it so the inquiry is only rhetorical.
>> How can you equate adding a patch preventing a sysadmin from using an
>> app as designed to communicating? Communication is one thing,
>> handcuffs are another.
>>
>
> It doesn't stop a sysadmin. Sysadmins have root privileges and do not
> need setuid for this. Sysadmins can also manipulate automount or
> /etc/fstab to allow far more controlled mounting.
>
> This isn't "handcuffs". It's a seatbelt.
>
I'm not sure I can agree with you on that. When I setuid to allow a user
to mount their own shares, they can do it. If I set up fstab to mount
shares as root using specific uid and gid values, then the users don't
see their correct permissions. That's a straightjacket, not a seatbelt.
Now perhaps I'm missing something, but I have no trouble with users
mounting nfs shares. The idea that users can't mount cifs shares strikes
me as odd and an unnecessary impediment.
More information about the samba
mailing list