summaryrefslogtreecommitdiff
path: root/libgpo
diff options
context:
space:
mode:
authorJeff Layton <jlayton@redhat.com>2009-06-06 19:46:24 -0400
committerJeff Layton <jlayton@redhat.com>2009-06-06 19:46:24 -0400
commitcc7b62269e4a90859dd93b8d6896390857ba17d7 (patch)
tree864cd274da9f003c88d2537960763ed05dba690f /libgpo
parent93e797064753e815a3fe5e32fdea167b395b58d3 (diff)
downloadsamba-cc7b62269e4a90859dd93b8d6896390857ba17d7.tar.gz
samba-cc7b62269e4a90859dd93b8d6896390857ba17d7.tar.bz2
samba-cc7b62269e4a90859dd93b8d6896390857ba17d7.zip
mount.cifs: properly check for mount being in fstab when running setuid root (try#3)
This is the third attempt to clean up the checks when a setuid mount.cifs is run by an unprivileged user. The main difference in this patch from the last one is that it fixes a bug where the mount might have failed if unnecessarily if CIFS_LEGACY_SETUID_CHECK was set. When mount.cifs is installed setuid root and run as an unprivileged user, it does some checks to limit how the mount is used. It checks that the mountpoint is owned by the user doing the mount. These checks however do not match those that /bin/mount does when it is called by an unprivileged user. When /bin/mount is called by an unprivileged user to do a mount, it checks that the mount in question is in /etc/fstab, that it has the "user" option set, etc. This means that it's currently not possible to set up user mounts the standard way (by the admin, in /etc/fstab) and simultaneously protect from an unprivileged user calling mount.cifs directly to mount a share on any directory that that user owns. Fix this by making the checks in mount.cifs match those of /bin/mount itself. This is a necessary step to make mount.cifs safe to be installed as a setuid binary, but not sufficient. For that, we'd need to give mount.cifs a proper security audit. Since some users may be depending on the legacy behavior, this patch also adds the ability to build mount.cifs with the older behavior. Signed-off-by: Jeff Layton <jlayton@redhat.com>
Diffstat (limited to 'libgpo')
0 files changed, 0 insertions, 0 deletions