[FreeNX-kNX] windows/osx shares fail to mount

Stefan Bauer stefan.bauer at cubewerk.de
Wed Jul 28 08:24:34 UTC 2010


Am 28.07.2010 10:03, chris at ccburton.com schrieb:
> Stefan Bauer <stefan.bauer at cubewerk.de> wrote on 27/07/2010 15:08:47:
>>> sudo still runs the broken mount.cifs as root which still doesn't
>>>         check the users rights to a mount point properly or
>>>         ask for the password before checking or
>>>         check just before mounting the share as root
>>> so all the user-accounts in your visudo group who can run mount.cifs
>>> as root can map their shares over any directory.
>> This can be configured. 
> 
> But you aren't going to show us how ???

I was just saying if you allow users in general to run mount.cifs
through sudo, then this can be abused. So the security is up to you
whether you allow users to use the broken mount.cifs with sudo or not.

> . . . no it can't can it ??

I'm not aware of a secure way to let users use mount.cifs with sudo
and check there permissions on the mountpoint. Hopefully upstream is
fixing mount.cifs soon.


>> If you grant a group of users the right to
>> run mount.cifs as root by sudo, it's your fault if they mount
>> private dirs over other directories afterwards.
> 
> Hmmm. You prefer suid now, then ?? Or what ??
> 
>> If you bypass the permissions to run mount.cifs by sudo on purpose -
>> there is no need to let mount.cifs check again the permissions.
> 
> Not sure what you mean here !!
> 
>>> I suppose a fix will be along sometime, in the meantime don't expect
>>> to be too much safer.
> 
>> A fix for what? This is not a bug.
> 
> The bug in mount.cifs
> 
>          https://bugzilla.samba.org/show_bug.cgi?id=6853

Thank you for your summary. I understand the current problem with
suid on mount.cifs but unfortunately sudo seems not to be the
solution for it.

Stefan

-- 
Stefan Bauer -----------------------------------------
PGP: E80A 50D5 2D46 341C A887 F05D 5C81 5858 DCEF 8C34
-------- plzk.de - Linux - because it works ----------



More information about the FreeNX-kNX mailing list