GLLUG meeting topics
Ben Pfaff
pfaffben@msu.edu
04 Apr 2001 13:04:29 -0400
bl0wfish <apoc@lunarsurf.com> writes:
> > Fairly obvious, but that only works if you are root. Extra options, like
> > uid=, gid=, and umask= are in the man page for smbmount. If you would like
> > normal users to be able to mount certain shares, you have to edit /etc/fstab,
> > and the *user doing the mount must own the mountpoint*. If you have the
> > following in /etc/fstab,
> >
> > //BORG/STUFF /mnt/smb/stuff smbfs noauto,user,username=bob,workgroup=
> > workgroup
> >
> > ...then when user bob tries to mount the filesystem, he'll get a misleading
> > error message unless /mnt/smb/stuff is owned by bob. If multiple users on a
> > Linux system must access a SMB share, then it is probably best for the share
> > to be mounted by root and access to be controlled by the umask= parameter and
> > group membership.
>
> That doesn't really make sense. Does the mountpoint
> have to actually be "owned" by the user mounting the
> share, or does the user just have to have permissions
> to the mountpoint? Also, what version of samba and
> smbmount are you running, or are shipped with whatever
> version of RedHat you're using?
I'm going to take advantage of this question to point out how
easy it is to figure out this sort of thing from source code. I
started out with
dpkg -S `which smbmount`
to find out what package smbmount is in. It turned out to be
smbfs. So then I got the source code to smbfs with
apt-get source smbfs
which downloads, unpacks, and patches the source code for me.
(I could have done this in one command, with
apt-get source `dpkg -S \`which smbmount\``
but it didn't occur to me at the time.)
Those of you who don't use Debian will need different (probably
*more*) commands above.
Then I found the smbmount source code within the source tree.
This was easy: it's source/utils/smbfs/smbmount.c. And then I
looked through the file to find a reference to `struct stat',
which is the structure used to determine ownership and
permissions of UNIX files.
Answer: The version of smbmount in Debian unstable (2.0.7-5)
definitely requires the mounting user, if not root, to own the
mountpoint. Here's the relevant code from smbmount.c:
/* Check whether user is allowed to mount on the specified mount point */
static int
mount_ok(struct stat *st)
{
if (!S_ISDIR(st->st_mode))
{
errno = ENOTDIR;
return -1;
}
if ( (getuid() != 0)
&& ( (getuid() != st->st_uid)
|| ((st->st_mode & S_IRWXU) != S_IRWXU)))
{
errno = EPERM;
return -1;
}
return 0;
}
The second `if' statement is the one to look at. It says that
the mount is only allowed on a directory, and only if
1. The user is root, OR
2. The user owns the directory AND the directory has the
rwx (read-write-execute) bits set for that user.
Simple... Took about 2 minutes.
> Maybe creating a small perl/bash script that runs
> smbmount as root to mount the partitions would fix
> the problem without opening up too many security holes?
Make sure it's Perl, not bash. Setuid shell scripts are not
secure.
> Back in the day though, in samba's documentation
> smbmount was described as running the simple 'mount'
> command withe extra paramaters to mount fat16/32
> partitions.
This version definitely doesn't run `mount'.
> Anyone that actually trys to read a manpage
> is, IMO, sick & twisted.
I guess I'm pretty sick and twisted then.
> > NFS under Linux sucks, but NFS under [insert platform here] sucks. The
> > suckage is consistent, at least, though you may wish to avoid NFSv3 for the
> > time being.
>
> You're joking right?
About what part? It looks like a pretty reasonable statement to
me.
--
Anyone who cannot cope with mathematics is not fully human. At best he
is a tolerable subhuman who has learned to wear shoes, bathe and not
make messes in the house.
-- Lazarus Long, "Time Enough for Love"