The 3.0.28 ebuild does not set the setuid-bit for /usr/bin/{mount,umount}.cifs, nor is there an option to do so (so that I don't need to remember this again). There should also be a USE flag for adding '-DCIFS_ALLOW_USR_SUID' to the build (as long as we're setting options). Mind you, it could be argued that this would then warrant an ewarn block for how insecure this might be. Finally, the symlinks that are created here should be relative to ${ROOT} or just to "../usr/bin/mount.cifs" instead of "/usr/bin/mount.cifs", like the other mount.* in /sbin. I realise that the first option has been discussed before (bug 186383 and bug 210235). However, I'm not sure why 210235 is closed - the requested feature is not upstream because upstream doesn't have an install function where setuid could be set. Instead, it has to be the src_install function in the mount-cifs ebuild where we at the setuid bit to the files, and that is simply not happening now. Something like: use suid && fperms u+s /usr/bin/{mount,umount}.cifs (untested) is about what we're looking for, at least for the first item. Reproducible: Always Actual Results: $ mount /mnt/mysambamountpoint mount error 1 = Operation not permitted Refer to the mount.cifs(8) manual page (e.g.man mount.cifs) Expected Results: $ mount /mnt/mysambamountpoint [success]
Created attachment 177010 [details, diff] Ugly fix to allow non-root mounting of CIFS shares when mount.cifs is SETUID root. As of net-fs/mount-cifs-3.0.30, manually setting SUID on the resulting binary in /usr/bin does not make mounting with an UID!=0 work; check http://forums.gentoo.org/viewtopic-p-5355191.html#5355191 for details. I tried to track down the problem, and it seems that mount.cifs improperly checks for permissions when called from a non-root account. Sadly, I do not have the time to investigate this to an extent that would enable me to provide a definite fix, but I managed to get it to work for me. The attached patch details the approach I took - it's ugly, but it enables the functionality I need. I don't know if there's an impact on security, but I'd not be very surprised if there was, so please beware.
( > > I tried to track down the problem, and it seems that mount.cifs improperly > checks for permissions when called from a non-root account. Sadly, I do not > have the time to investigate this to an extent that would enable me to provide > a definite fix, but I managed to get it to work for me. > The attached patch details the approach I took - it's ugly, but it enables the > functionality I need. I don't know if there's an impact on security, but I'd > not be very surprised if there was, so please beware. I haven't yet tried the patch, but I can mount a cifs filesystem as a normal user using the "suid,users" option. However, I can't actually access the files below the mount point. Permission is denied whatever I do. Is reverting to a previous or later version a viable option? the situation: - the normal user owns the mount point, and the correct user name and group ID etc are specified in fstab - mount, umount, mount.cifs is setuid root - fstab entry is something like: //host/share /home/me/share \ cifs \ noauto,ro,username=remoteuser,uid=me,gid=mygroup,domain=WORKGROUP,suid,users 0 0 before and after the mount, ls -l shows that I own the mount point After mounting permissions are drwxr-xr-x, which seems ok but does not allow me access I also can't change that because the file system is ro. Mounting as rw still does not allow me to change it - I only get permission denied.
( > I haven't yet tried the patch, but I can mount a cifs filesystem as a normal > user using the "suid,users" option. That is net-fs/mount-cifs-3.0.30 on amd64, kernel 2.6.27-gentoo-r7, SMP, to be complete.
A use flag to install mount.cifs / umount.cifs setuid would be very useful. I currently have to manually chmod them every time the package is upgraded, and I'm usually reminded to do this by the complaints of my users: "damnit, you broke mount.cifs again!"
For those interested. I added a patch for the latest samba to make suid work again. It also enables any mounts user wishes to have instead of just listed in /etc/fstab. It is here - http://bugs.gentoo.org/show_bug.cgi?id=315445
dropped
