On 09/02/2013 03:41 PM, Gordon Lack wrote:
>>> What my patch does is to run the map script under the UID of the user requesting the mount, rather than root.
>>> That is actually an improvement of the security situation, AFAICS.
>
> Possibly not.
Can you explain?
>>> Please check the "multiuser" option of mount.cifs ("With this option, the client ... creates a new session with
>>> the server using the user's credentials whenever a new user accesses the mount").
>
> It also says:
>
> Furthermore, when unix extensions aren't in use and the
> administrator has not overriden ownership using the uid= or gid=
> options, ownership of files is presented as the current user
> accessing the share.
>
> Which I take to mean that if you are specifying $UID in the mount options then you've just foiled this bit, the bit that you actually want.
Permission checks are done on the server.
On the client, without unix extensions, the user/group IDs of files may
be displayed wrongly. That may confuse users because they may not be
able to open files listed as owned by themselves, but it's not a
security problem.
Martin
--
Dr. Martin Wilck
PRIMERGY System Software Engineer
x86 Server Engineering
FUJITSU
Fujitsu Technology Solutions GmbH
Heinz-Nixdorf-Ring 1
33106 Paderborn, Germany
Phone: ++49 5251 525 2796
Fax: ++49 5251 525 2820
Email: martin.wilck@xxxxxxxxxxxxxx
Internet: http://ts.fujitsu.com
Company Details: http://ts.fujitsu.com/imprint
--
To unsubscribe from this list: send the line "unsubscribe autofs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
