Nico Kadel-Garcia wrote:
On Thu, Apr 8, 2010 at 12:45 AM, Chris Smith <smb...@chrissmith.org> wrote:
On Wed, Apr 7, 2010 at 9:39 PM, Jeff Layton <jlay...@samba.org> wrote:
Yes, we added a patch a while back to make it such that mount.cifs
would not allow itself to run as a setuid root program unless it that
check was compiled out.
This was done due to a rather constant stream of "security issues" that
were brought about when people installed mount.cifs setuid root. Since
it had never been vetted for security, we really had no other choice to
communicate that installing it setuid root was unsafe.
Not the place for it so the inquiry is only rhetorical.
How can you equate adding a patch preventing a sysadmin from using an
app as designed to communicating? Communication is one thing,
handcuffs are another.
It doesn't stop a sysadmin. Sysadmins have root privileges and do not
need setuid for this. Sysadmins can also manipulate automount or
/etc/fstab to allow far more controlled mounting.
This isn't "handcuffs". It's a seatbelt.
I'm not sure I can agree with you on that. When I setuid to allow a user
to mount their own shares, they can do it. If I set up fstab to mount
shares as root using specific uid and gid values, then the users don't
see their correct permissions. That's a straightjacket, not a seatbelt.
Now perhaps I'm missing something, but I have no trouble with users
mounting nfs shares. The idea that users can't mount cifs shares strikes
me as odd and an unnecessary impediment.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
