[Samba] mount.cifs permissions for non-root user via sudo
alazarev at illinois.edu
Mon Mar 24 13:07:07 MDT 2014
> -----Original Message-----
> On Mon, 2014-03-24 at 17:24 +0000, Lazarevich, Alexander wrote:
> > I'm not sure this is the proper forum to post to, but I hope someone can
> point me in the right direction if not have the answers. We have a RedHat
> Enterprise 5 AS machine, fully patched, with the most recent samba RPMs
> installed. The machine is joined to Active Directory via a 3rd party program
> called Centrify. An AD user, when logged into this system, is given permission
> to run /bin/mount via sudo, in order to mount that users' Windows share
> from a Windows fileserver. (2008R2) The exact mount command is:
> > sudo mount -t cifs //servername/share/user1 /home/user1/network-
> > -o domain=domname,username=user1
> > After the user provides their AD password, the share is mounted:
> > [user1 at linux1PC]$ df -h
> > Filesystem Size Used Avail Use% Mounted on
> > /dev/sda2 20G 7.3G 12G 40% /
> > /dev/sda1 99M 25M 70M 26% /boot
> > tmpfs 1006M 0 1006M 0% /dev/shm
> > //servername/share/user1 6.0T 5.0T 1.1T 83%
> > /home/user1/network-mount
> > As you can see, the mount worked fine. However, the permissions are very
> odd. All files/folders are owned by root:
> > [user1 at linux1PC]$ ls -l
> > total 547949
> > -rwxrwSrwx 1 root root 70207240 Jul 30 2012
> > 22.214.171.124-TIV-TSMBAC-WinX32.exe -rwxrwSrwx 1 root root 157970712 Jun 5
> > 2013 126.96.36.199-TIV-TSMBAC-WinX32.exe -rwxrwSrwx 1 root root 158327144
> > Jun 5 2013 188.8.131.52-TIV-TSMBAC-WinX32.exe -rwxrwSrwx 1 root root
> > 174554976 Jun 5 2013 184.108.40.206-TIV-TSMBAC-WinX32.exe ...
> > ...
> > After some testing, it seems as though the mount command is
> > purposefully mounting the share as root, with 777 perms, so the user
> > can have proper access. The user1 is able to read/write all files as
> > needed. And other users on the system have no access to the share.
> > (which is odd because the perms are 777)
> > I'm hoping someone else in the world has solved this problem: Is this the
> proper way to mount non-root user Windows shares via command line? Is
> there another/better way to mount Windows shares command line for non-
> root users? Or are we doing it the correct way and somehow the system is
> monitoring the mounted share and translating permissions from unix to CIFS
> on the fly. The ACLS on the Windows server are correct for all created
> files/folders from that user. We have to know these permissions are correct
> and stable before we put this mount procedure into production in our labs.
> > Any ideas?
> > Thanks!
> > Alex
> Over cifs, the -rwxrwSrwx part of the listing doesn't bear any resemblance to
> the actual ac lists.
Thanks Steve, for the reply. So is it safe to say this root owned mount is normal behavior for cifs when mounting domain user shares and the share is safe to use for the user? I'm tending to think that is correct, but I'd really like some confirmation about that.
More information about the samba