>> What my patch does is to run the map script under the UID of the user requesting the mount, rather than root.
>> That is actually an improvement of the security situation, AFAICS.
Possibly not.
>> Please check the "multiuser" option of mount.cifs ("With this option, the client ... creates a new session with
>> the server using the user's credentials whenever a new user accesses the mount").
It also says:
Furthermore, when unix extensions aren't in use and the
administrator has not overriden ownership using the uid= or gid=
options, ownership of files is presented as the current user
accessing the share.
Which I take to mean that if you are specifying $UID in the mount options then you've just foiled this bit, the bit that you actually want.
Unless cruid is different? (Never used it - or Kerberos - so don't know).
>> With that option, I see no major difference between CIFS and NFS automounts, security-wise.
>> IMO combining autofs and "multiuser" is exactly the desired behavior in an AD environment.
>> It lets the server decide access rights based on the credentials provided.
You could well be right. I was just raising it as something that may lead to security issues in general.
>> It's a (sad) fact in life that many of us have to work in Windows-dominated IT environments.
True. Although putting everything on network file servers which can farm out the same files using both cifs and nfs can simplify the clients.
________________________________
This e-mail was sent by GlaxoSmithKline Services Unlimited
(registered in England and Wales No. 1047315), which is a
member of the GlaxoSmithKline group of companies. The
registered address of GlaxoSmithKline Services Unlimited
is 980 Great West Road, Brentford, Middlesex TW8 9GS.
--
To unsubscribe from this list: send the line "unsubscribe autofs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
