[FreeNX-kNX] windows/osx shares fail to mount

chris at ccburton.com chris at ccburton.com
Wed Jul 28 08:03:43 UTC 2010 

Stefan Bauer <stefan.bauer at cubewerk.de> wrote on 27/07/2010 15:08:47:
> Am 27.07.2010 15:53, chris at ccburton.com schrieb:
> > There's some advantage in using sudo, but only if you have a smaller
> > subset of users who need to map shares.
> > 
> > sudo still runs the broken mount.cifs as root which still doesn't
> >         check the users rights to a mount point properly or
> >         ask for the password before checking or
> >         check just before mounting the share as root
> > so all the user-accounts in your visudo group who can run mount.cifs
> > as root can map their shares over any directory.
> 
> This can be configured. 

But you aren't going to show us how ???

Well . . .

actually

. . . no it can't can it ??

You could try do something like this (from Johannes's patch) 
in /etc/sudoers . . .

%samba ALL = (ALL) /sbin/mount.cifs //*/* * -o 
username=*%*\,ip=127.0.0.1\,port=*

but that allows the user to run mount.cifs with /sbin as
the mount point . . 

. . .so more likely you would try to pin it down . . .

user1 ALL = NOPASSWD: /sbin/mount.cifs //*/* /home/user1/mountpoint -o 
username=*%*\,ip=127.0.0.1\,port=* ,/sbin/umount.cifs 
/home/user1/mountpoint 
user2 ALL = NOPASSWD: /sbin/mount.cifs //*/* /home/user2/mountpoint -o 
username=*%*\,ip=127.0.0.1\,port=* ,/sbin/umount.cifs 
/home/user2/mountpoint 
etc.( sorry about the line wrap)

YUK !

I don't give users sudo access very much, and I don't want
to.

The fixed
 
        /home/user1/mountpoint 

is an attempt to stop for example

        /home/* ( works for any user )

being replaced by the user with 

        /home/../sbin



And what is the result of adding the parameters ??

Well, it stops the prompting for a password,

but then, if you 

        ln -s /sbin /home/user1/mountpoint

the sudo mount.cifs, now running as root will happily mount the share
over /sbin  because it doesn't know anything about the ouid.

Try it !! ( well, not on /sbin / etc )

Using sudo means that uou don't need any effort to mess
things up !!


>If you grant a group of users the right to
> run mount.cifs as root by sudo, it's your fault if they mount
> private dirs over other directories afterwards.

Hmmm. You prefer suid now, then ?? Or what ??

> 
> If you bypass the permissions to run mount.cifs by sudo on purpose -
> there is no need to let mount.cifs check again the permissions.

Not sure what you mean here !!

> 
>> I suppose a fix will be along sometime, in the meantime don't expect
>> to be too much safer.

>A fix for what? This is not a bug.

The bug in mount.cifs

         https://bugzilla.samba.org/show_bug.cgi?id=6853

mount.cifs was intended to run suid, in fact suid could have been
invented for it.

When mount.cifs finds it is suid, it checks the mount point for
the user's access level, and only mounts the share ( as root )
if the user has write permission to the mount point, ie not on
/sbin etc

Run under sudo, mount.cifs just mounts whatever you want
wherever you say !!


The problem is that it doesn't check the user rights last,
it checks them first then asks for a password, and helpfully
waits while you remove the original mount point and link
somewhere else.

A better bodge would be to remove the password prompting
from mount.cifs and make a binary which is somewhat safer,
just for use here !!

I'll have a look if I can find time.

CB

> 
> Stefan
> 
> -- 
> Stefan Bauer -----------------------------------------
> PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34
> -------- plzk.de - Linux - because it works ----------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20100728/30f89dbb/attachment.html>

More information about the FreeNX-kNX mailing list