On Thu, 06 Nov 2014 04:07:01 +0100 Michael_OF <michaelof@xxxxxxxxxxxxxx> wrote: > Hi all, > > > I want to enable a user mount of a remote samba share. OpenSuse 13.1. > First step was to enable setuid bit for /etc/mount.cifs. > To keep mount as easy as possible, I've added an /etc/fstab entry like this: > //host/share /mount_dir user=user,users 0 0 > > Works fine in bash, prompts for remote user's password. > Does not work in KDE's dolphin, no action when clicking on location bar's entry "share on host" > > I then recognized the "credentials" option and changed the /etc/fstab entry like this: > //host/share /mount_dir cifs credentials=/root/cred-file,users 0 0 > > (sudo chmod 600 /root/cred-file, to protect password) > > Having done this, e.g. > mount /mount_dir > as "root" or with sudo works fine. > > But NOT as an end user: "error 13 (Permission denied) opening credential file /root/cred-file" > Both in bash or Dolphin. > > chmod to allow read credential file for any user "solves" the problem, so it's really a local access right issue. > > Which in fact seems to make user cifs mount impossible, at least this way. > And which confuses me: Why, if the mount.cifs program has the sticky bit set, it's not allowed to open a root-owned file? > > Is this a bug, should I file it in bugzilla? > > > Thanks in advance, > Michael > No, it's expected behavior... mount.cifs uses privilege separation. The parent is privileged and handles the actual mount. The child is forked from the parent, drops privileges/changes to the real uid, etc. That process is what parses and handles mount options, which includes parsing the credentials file. In your case, the cred file isn't readable by the unprivileged user. The upshot here is that if you want to mount using a credentials file as an unprivileged user, then your unprivileged user must also have read access to read that file. Doing anything else would be tantamount to giving unprivileged users the ability to access files they wouldn't otherwise be able to access. Cheers, -- Jeff Layton <jlayton@xxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-cifs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
