[Samba] how to mount shares as a user without mount.cifs setuid
garydale at rogers.com
Thu Apr 8 10:07:05 MDT 2010
Nico Kadel-Garcia wrote:
> On Thu, Apr 8, 2010 at 12:45 AM, Chris Smith <smb_77 at chrissmith.org> wrote:
>> On Wed, Apr 7, 2010 at 9:39 PM, Jeff Layton <jlayton at samba.org> wrote:
>>> Yes, we added a patch a while back to make it such that mount.cifs
>>> would not allow itself to run as a setuid root program unless it that
>>> check was compiled out.
>>> This was done due to a rather constant stream of "security issues" that
>>> were brought about when people installed mount.cifs setuid root. Since
>>> it had never been vetted for security, we really had no other choice to
>>> communicate that installing it setuid root was unsafe.
>> Not the place for it so the inquiry is only rhetorical.
>> How can you equate adding a patch preventing a sysadmin from using an
>> app as designed to communicating? Communication is one thing,
>> handcuffs are another.
> It doesn't stop a sysadmin. Sysadmins have root privileges and do not
> need setuid for this. Sysadmins can also manipulate automount or
> /etc/fstab to allow far more controlled mounting.
> This isn't "handcuffs". It's a seatbelt.
I'm not sure I can agree with you on that. When I setuid to allow a user
to mount their own shares, they can do it. If I set up fstab to mount
shares as root using specific uid and gid values, then the users don't
see their correct permissions. That's a straightjacket, not a seatbelt.
Now perhaps I'm missing something, but I have no trouble with users
mounting nfs shares. The idea that users can't mount cifs shares strikes
me as odd and an unnecessary impediment.
More information about the samba