The idea with this tool is to put the credentials in the kernel so that
the kernel can use them. Restrict write permissions to the possessor only,
but allow the user to view them. That seems to be the minimum permissions
that allow the use cases we expect.
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxx>
---
cifscreds.c | 5 +----
1 files changed, 1 insertions(+), 4 deletions(-)
diff --git a/cifscreds.c b/cifscreds.c
index 6079b38..8f548e9 100644
--- a/cifscreds.c
+++ b/cifscreds.c
@@ -300,10 +300,7 @@ static int cifscreds_add(struct cmdarg *arg)
fprintf(stderr, "error: Add credential key for %s\n",
currentaddress);
} else {
- if (keyctl(KEYCTL_SETPERM, key, KEY_POS_VIEW | \
- KEY_POS_WRITE | KEY_USR_VIEW | \
- KEY_USR_WRITE) < 0
- ) {
+ if (keyctl(KEYCTL_SETPERM, key, KEY_POS_WRITE | KEY_USR_VIEW) < 0) {
fprintf(stderr, "error: Setting permissons "
"on key, attempt to delete...\n");
--
1.7.1
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
