View Issue Details

IDProjectCategoryView StatusLast Update
0004537CentOS-5samba-clientpublic2010-10-06 20:55
Reportertru 
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionwon't fix 
Product Version5.5 
Target VersionFixed in Version 
Summary0004537: default cifs mounts allow anyone to write to the mounted share
Description[tru@sillage2 ~]$ grep cifs /etc/fstab
//silo.pasteur.fr/Bis/tru /silo/Bis/tru cifs noauto,users,credentials=/home/Bis/tru/.silo.cifs.txt,user=tru,uid=2765,gid=400,netbiosname=SILO,domain=PASTEUR 0 0
[tru@sillage2 ~]$ rpm -qf /sbin/mount.cifs
samba-client-3.0.33-3.29.el5_5.1.x86_64
[tru@sillage2 ~]$ ls -ld /silo/Bis/tru
drwxr-xr-x 2 tru root 4096 Mar 5 2010 /silo/Bis/tru/
[tru@sillage2 ~]$ grep silo /etc/mtab
[tru@sillage2 ~]$ grep silo /proc/mounts

mounting:
[tru@sillage2 ~]$ sudo mount /silo/Bis/tru

[tru@sillage2 ~]$ grep silo /etc/mtab
//silo.pasteur.fr/Bis/tru /silo/Bis/tru cifs rw,mand,noexec,nosuid,nodev 0 0

[tru@sillage2 ~]$ ls -ld /silo/Bis/tru
drwxrwxrwx 55 tru Bis 0 Oct 6 14:21 /silo/Bis/tru/

[tru@sillage2 ~]$ sudo useradd toto
[tru@sillage2 ~]$ sudo su - toto
[toto@sillage2 ~]$ id
uid=2766(toto) gid=2766(toto) groups=2766(toto)
[toto@sillage2 ~]$ echo coucou > /silo/Bis/tru/coucou
[toto@sillage2 ~]$ ls -ld /silo/Bis/tru/coucou
-rwxrwSrwx 1 tru Bis 7 Oct 6 15:53 /silo/Bis/tru/coucou
Additional Informationmitigation: force dir_mode and file_mode to sensible values (dir_mode=0700 and file_mode=0600)
TagsNo tags attached.

Activities

toracat

toracat

2010-10-06 15:26

manager   ~0011910

There was a talk about what to use as a default permission:

https://patchwork.kernel.org/patch/25705/

"The current default file mode is 02767 and dir mode is 0777. This is
extremely "loose". Given that CIFS is a single-user protocol, these
permissions allow anyone to use the mount -- in effect, giving anyone on
the machine access to the credentials used to mount the share."

The patch for 'connect.c' provided in that thread is not in the current version of CentOS, so the behavio(u)r you described is still the default.
tru

tru

2010-10-06 16:06

administrator   ~0011911

it seems to be fixed on Fedora 13..
tru

tru

2010-10-06 16:15

administrator   ~0011912

https://bugzilla.redhat.com/show_bug.cgi?id=640700 RFE upstream
tru

tru

2010-10-06 20:55

administrator   ~0011914

Upstream has decided to keep this behaviour for 5.x series.
It will be changed for the next 6.y series.

Issue History

Date Modified Username Field Change
2010-10-06 13:59 tru New Issue
2010-10-06 15:26 toracat Note Added: 0011910
2010-10-06 16:06 tru Note Added: 0011911
2010-10-06 16:15 tru Note Added: 0011912
2010-10-06 20:55 tru Note Added: 0011914
2010-10-06 20:55 tru Status new => closed
2010-10-06 20:55 tru Resolution open => won't fix