[FreeNX-kNX] windows/osx shares fail to mount

chris at ccburton.com chris at ccburton.com
Wed Jul 28 08:22:21 UTC 2010 

Toni Asensi Esteve <asmond at orange.es> wrote on 28/07/2010 08:53:12:

> > Of course the real issue is *NIX's rudimentary authorization levels, 
root 
> > or not root. 

Yup, I agree with myself.

After 19 years of Linux we are still trying to let users mount their own 
share
in thier own home drives without letting them compromise the system,
even though terminal servers and virtualized desktops are the way ahead.


> 
> > sudo still runs the broken mount.cifs as root

Yup. Arguing ??

> 
> For the sake of clarity, I just wanted to comment that "sudo" runs 
> commands as 
> your user, not as root. With sudo your user gets more privileges 
temporaly, 
> and in every "log" file, "ps" command, etc. it's your user which 
> appears there 
> doing this action, not a non-concrete "root".

Right, in the logs, but the job runs as if root was running it.

You can check for real-uid and effective-euid, but you have to do that
yourself in your program code.

[SNIP]

> 
> P.S. If it may be useful for anyone: in my /etc/sudoers, I have this 
line:
>      MY_PARTICULAR_USER ALL=(root) NOPASSWD : /bin/mount, /bin/umount, 
> /sbin/mount.cifs, /sbin/umount.cifs
> and so for exemple I execute
>    sudo mount [...]
> to mount something, I don't mind if it's samba or not. There's an 
example 
> searching " /sbin/mount.cifs" in 
> https://help.ubuntu.com/community/SettingUpSamba

mount.cifs checks euid to see if euid has write access to the mount point.

If it does, then it asks for the password, helpfully (to crooks) waiting
whilst you replace the mount point with a link to wherever you want. 

It then doesn't check again, but mounts your share over wherever the
target is now, as root.


You have it in your sudoers, so your particular user, or if its the NX 
user's
group all of them can mount whatever thay want more or less wherever
they want without an ruid being looked at.

Even if you put forced parameters in sudoers, ordinary users can get
round a fixed mount point.

Try it. I just posted an example.

The sudo bodge for the broken mount.cifs is not much better than suid,
unless you have a smaller subset of users needing to mount their shares.

Even then it makes it easier to make a typo mistake with the mount point
and mount over something unfortunate.

A better bodge would be a version of mount.cifs just for NX which
doesn't prompt for password and so is safer for suid.

This would reduce the time window for interupting it to milliseconds.

Still not good, but it would defeat the script kiddies.

> 
> Greetings:
> Toni 
> ________________________________________________________________
>      Were you helped on this list with your FreeNX problem?
>     Then please write up the solution in the FreeNX Wiki/FAQ:
> 
> 
http://openfacts2.berlios.de/wikien/index.php/BerliosProject:FreeNX_-_FAQ
> 
>          Don't forget to check the NX Knowledge Base:
>                  http://www.nomachine.com/kb/ 
> 
> ________________________________________________________________
>        FreeNX-kNX mailing list --- FreeNX-kNX at kde.org
>       https://mail.kde.org/mailman/listinfo/freenx-knx
> ________________________________________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/freenx-knx/attachments/20100728/27b888b0/attachment.html>

More information about the FreeNX-kNX mailing list