bind mount and yast partitioner
Hello, I am running a number of OpenSuSE systems on my SOHO network at home and I keep hitting a small but annoying problem that I wonder if there is a better workaround/solution to. This occurs on all versions of OpenSuSE - 15.0, 15.1, and 15.2. I am not running 15.3 yet. All systems are x64 architecture. I want to access the complete file systems of each computer via samba and autofs, which means I want to be able to access the "root" directory / on each system. Some years ago Samba stopped me from designating / as a samba shared directory and exporting it. (I don't understand why except from Googling it appears someone decided that to allow /, to be exported as a Samba share, was a security problem. I get so annoyed at all the layers of security and obfuscation so have not tried to track down what is exactly going on with Samba and the "root" / directory. Please don't try to dissuade me and tell me about the security risks of making the "root" / directory available for mounting, this is a SOHO network and I solely control all the computers on it.) I know Samba will allow me to define a share for the "root" / directory but it doesn't seem to work, at least autofs will not recognize/mount it and still reports the directory does not exist if I try to cd into it. So to work around this I do a bind mount of / as /slash and samba then allows me to export /slash as a samba share. In my various configuration files I use the name "slash" as the name of the exported Samba share and I create a directory /slash so that my configuration files will work regardless of whether /slash is a bind mount or not. At least that is what I think I am doing. The config line in fstab looks like this - / /slash none bind smb.conf has the following definitions for the root directory - [slash] available = Yes browseable = Yes comment = Root directory inherit acls = Yes path = / read only = No create mask = 0755 force user = root autofs configuration for mounting the root directory / typically looks like the following, only names of the remote host changes. slash -fstype=cifs,rw,dir_mode=0777,file_mode=0777,credentials=/etc/smb1.auth ://bigbang/slash This works fine for autofs and most tools that work on the host or across network file systems. All except, that is, the YaST2 partitioner. For some unknown reason it picks up the bind mount /slash and automagically reassigns all my mount points to be under /slash. So for example if I tell it to mount my home partition at /home the partitioner will reassign my mount point to be at /slash/home. More importantly, the partitioner reassigns / to be mounted as /slash. Then if I want to make any further change to partitions and save those changes, the partitioner will complain that the mount point for / is undefined and it wants to force me to define a / mount. The only workaround I have found is to remove the bind mount from fstab and then reboot. After reboot I can then use the YaST partitioner to make the changes I want, since because without the bind mount the partitioner now sees all the mount points of different partitions as subdirectories under / and not under /slash/. But without the bind mount defined in fstab, tools like autofs will no longer mount the "root" / directory though I do not grok why. So again I have to add back in the bind mount to fstab so that Samba shares will again work, and again I have to reboot. I have tried restarting all the appropriate services individually, such as nmb, smb, autofs, and network but no joy getting the the remote host's "root" / dir to remount, so I resort to rebooting the systems (a PITA) and that does the trick... Perhaps I am missing some magic trick or there is a better way to accomplish what I want to do, which ideally is to configure Samba to really share the "root" / directory. Sorry this is complicated and will be difficult to grok, it is for me! Any help would be much appreciated, I would love to once and for all resolve this irritant because I have to rediscover these issues and their resolutions each time something like autofs breaks or I want to use the partitioner. Thanks, Marc
Marc Chamberlin composed on 2021-05-24 00:22 (UTC-0700):
Perhaps I am missing some magic trick
I think it's called NFS. NFS is Linux native, permissions, ACLs and everything. I don't ever use Samba between a Linux host and any other Linux host, but I never try to export a / either. -- Evolution as taught in public schools is, like religion, based on faith, not based on science. Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata
On 24/05/2021 09.45, Felix Miata wrote:
Marc Chamberlin composed on 2021-05-24 00:22 (UTC-0700):
Perhaps I am missing some magic trick
I think it's called NFS. NFS is Linux native, permissions, ACLs and everything. I don't ever use Samba between a Linux host and any other Linux host, but I never try to export a / either.
I have exported "/" in NFS just fine. Not everyday, the line is commented out, and I enabled it when needed, for making a backup or to replicate one machine. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 2021-05-24 3:45 a.m., Felix Miata wrote:
... but I never try to export a / either.
At the very least it's a security risk. Not just potential hackers (and not just external hackers) but errors and mistakes. Make your export (a) moree fine grained (b) access controlled (extra ACK on top of the normal rwx) (c) function oriented. Think of the remote machines as 'file servers'. Access to data, such as $HOME that might have things not on all machines[1] or remote management[2] [1] I kept photo archives on a PC that exported them NFS so I could access them from my laptop [2] My web site on an an internet connected host I managed from my my lapatop (The web s/w had no remote edit; this was all html-by-vim) -- “Reality is so complex, we must move away from dogma, whether it’s conspiracy theories or free-market,” -- James Glattfelder. http://jth.ch/jbg
Marc Chamberlin wrote:
I want to access the complete file systems of each computer via samba and autofs, which means I want to be able to access the "root" directory / on each system. Some years ago Samba stopped me from designating / as a samba shared directory and exporting it. (I don't understand why except from Googling it appears someone decided that to allow /, to be exported as a Samba share, was a security problem. I get so annoyed at all the layers of security and obfuscation so have not tried to track down what is exactly going on with Samba and the "root" / directory. Please don't try to dissuade me and tell me about the security risks of making the "root" / directory available for mounting, this is a SOHO network and I solely control all the computers on it.)
Fair enough - although I have to ask, why not use NFS?
I know Samba will allow me to define a share for the "root" / directory but it doesn't seem to work, at least autofs will not recognize/mount it and still reports the directory does not exist if I try to cd into it. So to work around this I do a bind mount of / as /slash and samba then allows me to export /slash as a samba share.
Does Samba actually complain when you define '/' as a share? it seems to me it ought to if it is not supported or enabled.
smb.conf has the following definitions for the root directory -
[slash] available = Yes browseable = Yes comment = Root directory inherit acls = Yes path = /
not "path = /slash" ?
This works fine for autofs and most tools that work on the host or across network file systems. All except, that is, the YaST2 partitioner. For some unknown reason it picks up the bind mount /slash and automagically reassigns all my mount points to be under /slash.
First thought - not unexpected, coz' /slash is /. Second thought - YaST probably could distinguish between the two.
So for example if I tell it to mount my home partition at /home the partitioner will reassign my mount point to be at /slash/home.
In 'expert' mode, I presume?
But without the bind mount defined in fstab, tools like autofs will no longer mount the "root" / directory though I do not grok why.
On the 'source' system, maybe set up an automount of / to /slash? I.e. only do the bind mount when /slash is needed? Ought to be dead easy with systemd automount.
Perhaps I am missing some magic trick or there is a better way to accomplish what I want to do, which ideally is to configure Samba to really share the "root" / directory.
I am no Samba expert (not at all!), but I think samba deals with users - maybe you need to force the user to be root when you define the share? -- Per Jessen, Zürich (12.1°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland.
Thanks Per Jessen for responding, much appreciated... On 5/24/21 1:41 AM, Per Jessen wrote:
Fair enough - although I have to ask, why not use NFS?
My bad, I should have mentioned I have Windoz machines on my SOHO network as well, and want to share my "root" / directory with them as well...
Does Samba actually complain
when you define '/' as a share? it seems to me it ought to if it is not supported or enabled.
smb.conf has the following
definitions for the root directory -
[slash] available = Yes browseable = Yes comment = Root directory inherit acls = Yes path = / not "path = /slash" ? Uh yes, I have tried defining path as /slash as well. Up to now that only made sense when I defined the bind mount for /slash, in fstab, which I am trying to avoid. Below you pointed out another possibility, to use autofs and automount to do the bind mount when it is needed, and to automatically dismount it when no longer needed. I really like the idea, trouble is I am not figuring out how to do it, and Google is not being friendly. This works fine for autofs
and most tools that work on the host or across network file systems. All except, that is, the YaST2 partitioner. For some unknown reason it picks up the bind mount /slash and automagically reassigns all my mount points to be under /slash. First thought - not unexpected, coz' /slash is /. Second thought - YaST probably could distinguish between the two. Hmm not sure how to respond to your thoughts... So for example if I tell it to mount my home partition at /home the partitioner will reassign my mount point to be at /slash/home. In 'expert' mode, I presume? Yes, in fact I don't know of any other way to run the YaST2 partitioner. It always (almost rhetorically) ask me if I know what I am doing and when I tell it yes it puts me in expert mode. Telling it no causes it to simply exit and goes away. But without the bind mount
defined in fstab, tools like autofs will no longer mount the "root" / directory though I do not grok why. On the 'source' system, maybe set up an automount of / to /slash? I.e. only do the bind mount when /slash is needed? Ought to be dead easy with systemd automount. Hmmm I would love it if you say more, or better yet provide examples. I have been fooling around with trying to get autofs to automount / as /slash but so far no joy trying to figure out the magic incantations. My reading about autofs and automount is that underneath the covers it is actually doing bind mounts so it seems that all I need to do is use autofs to mount / at /slash. And since I want Samba compatible protocols for file systems, I will need to mount / as a cifs file system even
Sort of, it gives you a warning about the security implications of sharing '/' but it appears to allow one to define the share. Trouble is I can't get it to work and actually allow '/' to be shared. though it is actually an ext4 file system. So here is what I attempted to create a direct map - In auto.master I added the following line to point to the samba config file - /- /srv/autofs/auto.local.samba --timeout=5 --ghost (I put all my configuration files in directories, when I can, under /srv to make it easier to port these files, and the /srv mount point from one version of OpenSuSE to the next, in case you are wondering. This is just a style I like that makes it easier to manage porting services) In /srv/autofs/auto.local.samba I put the following line - slash -fstype=cifs,rw,dir_mode=0777,file_mode=0777,credentials=/etc/smb1.auth :/ Autofs does not complain about anything, but it does not work either. cd'ing into /slash shows an empty directory, not the contents of / like I hoped for. Another weird side effect is that after restarting the autofs service, it seems to break the KDE Plasma desktop and especially the kicker bar at the bottom of the screen stops working. The only remedy I have so far found is to reboot. And after rebooting the KDE Plasma desktop and the kicker bar work again. Though of course the auto mount of / on /slash does not, or I would be writing a very different email! ;-)
Perhaps I am missing some magic trick or there is a better way to accomplish what I want to do, which ideally is to configure Samba to really share the "root" / directory. I am no Samba expert (not at all!), but I think samba deals with users - maybe you need to force the user to be root when you define the share? Rats, I see I didn't show, in my original ask, that I had defined "force user " and set it to root, but yeah I tried that with no joy. Here is my actual version of the /slash samba share as defined in smb.conf -
[slash] available = Yes browseable = Yes comment = Root directory inherit acls = Yes path = /slash read only = No create mask = 0755 force user = root HTHs and you or someone else can shine a light in these woods and help me get back on the right path! Thanks again, Marc
Marc Chamberlin wrote:
Does Samba actually complain
when you define '/' as a share? it seems to me it ought to if it is not supported or enabled.
Sort of, it gives you a warning about the security implications of sharing '/' but it appears to allow one to define the share. Trouble is I can't get it to work and actually allow '/' to be shared.
Okay. So samba permits the share, but it's not working, somehow.
Uh yes, I have tried defining path as /slash as well. Up to now that only made sense when I defined the bind mount for /slash, in fstab, which I am trying to avoid.
Aha - I thought you were fairly happy with that solution, except for YaST not quite understanding what's going on.
Below you pointed out another possibility, to use autofs and automount to do the bind mount when it is needed, and to automatically dismount it when no longer needed. I really like the idea, trouble is I am not figuring out how to do it, and Google is not being friendly.
For your fstab: / /slash none bind,x-systemd-automount,x-systemd.idle-timeout=xxx 0 0 (not tested). I don't know how well that automount will interact with Samba though.
But without the bind mount defined in fstab, tools like autofs will no longer mount the "root" / directory though I do not grok why.
On the 'source' system, maybe set up an automount of / to /slash? I.e. only do the bind mount when /slash is needed? Ought to be dead easy with systemd automount.
Hmmm I would love it if you say more, or better yet provide examples.
Sorry. See above - systemd automount works really well for the common, simple cases. -- Per Jessen, Zürich (12.2°C) http://www.cloudsuisse.com/ - your owncloud, hosted in Switzerland.
On 5/25/21 1:16 AM, Per Jessen wrote:
For your fstab:
/ /slash none bind,x-systemd-automount,x-systemd.idle-timeout=xxx 0 0
(not tested). I don't know how well that automount will interact with Samba though.
Carlos, Per, and all who took the time to help me out, a big THANK YOU! Your magic incantation works and does not confuse the YaST2 partitioner. Samba and Windoz machines seem to work fine as far as I have tested. I was looking under the wrong rocks for a solution thinking this was an autofs/samba issue and didn't realize or think that mount and fstab could hold the solution. I made one small change to your solution, I change the bind option to rbind and that got a script of mine working, that is set up to use /slash and subdirectories under it on all my Linux/OpenSuSE systems. Again much appreciate your time and efforts to help me along. Marc.. -- *"The Truth is out there" - Spooky* *_ _ . . . . . . _ _ . _ _ _ _ . . . . _ . . . . _ _ . _ _ _ . . . . _ _ . _ . . _ . _ _ _ _ . _ . _ . _ . _ . * Computers: the final frontier. These are the voyages of the user Marc. His mission: to explore strange new hardware. To seek out new software and new applications. To boldly go where no Marc has gone before! (/This email is digitally signed. My public key for sending encrypted email to me can be found at - https://keys.openpgp.org/search?q=marc@marcchamberlin.com or just ask me for it and I will send it to you as an attachment. If you don't understand, no worries, just ignore it and/or ask me to explain it further./)
On 25/05/2021 06.33, Marc Chamberlin wrote:
Thanks Per Jessen for responding, much appreciated...
On 5/24/21 1:41 AM, Per Jessen wrote:
Uh yes, I have tried defining path as /slash as well. Up to now that only made sense when I defined the bind mount for /slash, in fstab, which I am trying to avoid. Below you pointed out another possibility, to use autofs and automount to do the bind mount when it is needed, and to automatically dismount it when no longer needed. I really like the idea, trouble is I am not figuring out how to do it, and Google is not being friendly.
fstab: / /slash none bind,x-systemd.automount,x-systemd.idle-timeout=300 0 0 -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 24/05/2021 09.22, Marc Chamberlin wrote:
Hello, I am running a number of OpenSuSE systems on my SOHO network at home and I keep hitting a small but annoying problem that I wonder if there is a better workaround/solution to. This occurs on all versions of OpenSuSE - 15.0, 15.1, and 15.2. I am not running 15.3 yet. All systems are x64 architecture.
I want to access the complete file systems of each computer via samba and autofs, which means I want to be able to access the "root" directory / on each system. Some years ago Samba stopped me from designating / as a samba shared directory and exporting it. (I don't understand why except from Googling it appears someone decided that to allow /, to be exported as a Samba share, was a security problem. I get so annoyed at all the layers of security and obfuscation so have not tried to track down what is exactly going on with Samba and the "root" / directory. Please don't try to dissuade me and tell me about the security risks of making the "root" / directory available for mounting, this is a SOHO network and I solely control all the computers on it.) I know Samba will allow me to define a share for the "root" / directory but it doesn't seem to work, at least autofs will not recognize/mount it and still reports the directory does not exist if I try to cd into it. So to work around this I do a bind mount of / as /slash and samba then allows me to export /slash as a samba share.
In my various configuration files I use the name "slash" as the name of the exported Samba share and I create a directory /slash so that my configuration files will work regardless of whether /slash is a bind mount or not. At least that is what I think I am doing.
The config line in fstab looks like this -
/ /slash none bind
smb.conf has the following definitions for the root directory -
[slash] available = Yes browseable = Yes comment = Root directory inherit acls = Yes path = / read only = No create mask = 0755 force user = root
autofs configuration for mounting the root directory / typically looks like the following, only names of the remote host changes.
slash -fstype=cifs,rw,dir_mode=0777,file_mode=0777,credentials=/etc/smb1.auth ://bigbang/slash
This works fine for autofs and most tools that work on the host or across network file systems. All except, that is, the YaST2 partitioner. For some unknown reason it picks up the bind mount /slash and automagically reassigns all my mount points to be under /slash. So for example if I tell it to mount my home partition at /home the partitioner will reassign my mount point to be at /slash/home. More importantly, the partitioner reassigns / to be mounted as /slash. Then if I want to make any further change to partitions and save those changes, the partitioner will complain that the mount point for / is undefined and it wants to force me to define a / mount. The only workaround I have found is to remove the bind mount from fstab and then reboot. After reboot I can then use the YaST partitioner to make the changes I want, since because without the bind mount the partitioner now sees all the mount points of different partitions as subdirectories under / and not under /slash/.
Would just commenting out the "/ /slash none bind" in fstab without rebooting work? The bind mount would remain active, but yast would not know about it. Exit yast, and remove the comment.
But without the bind mount defined in fstab, tools like autofs will no longer mount the "root" / directory though I do not grok why. So again I have to add back in the bind mount to fstab so that Samba shares will again work, and again I have to reboot. I have tried restarting all the appropriate services individually, such as nmb, smb, autofs, and network but no joy getting the the remote host's "root" / dir to remount, so I resort to rebooting the systems (a PITA) and that does the trick...
Perhaps I am missing some magic trick or there is a better way to accomplish what I want to do, which ideally is to configure Samba to really share the "root" / directory. Sorry this is complicated and will be difficult to grok, it is for me! Any help would be much appreciated, I would love to once and for all resolve this irritant because I have to rediscover these issues and their resolutions each time something like autofs breaks or I want to use the partitioner.
Well, there is the question why are you using samba instead of nfs, because you have not mentioned "windows". -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 5/24/21 2:15 AM, Carlos E. R. wrote:
Well, there is the question why are you using samba instead of nfs, because you have not mentioned "windows".
Thanks everyone for all your suggestions, and yes I should have mentioned that I also have Windoz computers on my network as well and I want to share all my file systems, including /, with those systems as well. I guess I thought that was implicit in saying I am using Samba but on re-reading my email I can see the confusion. It is hard to be sure I have covered all the bases when composing an email like this. Sorry for the confusion. I like NFS also, have used it in the past, but stopped when I realized it does not work for Windoz systems and I wanted a one-shop solution. I will set it up again for the "Linux - Linux" systems and try it out, but that costs double maintenance. Marc... -- *"The Truth is out there" - Spooky* -- *_ _ . . . . . . _ _ . _ _ _ _ . . . . _ . . . . _ _ . _ _ _ . . . . _ _ . _ . . _ . _ _ _ _ . _ . _ . _ . _ . * Computers: the final frontier. These are the voyages of the user Marc. His mission: to explore strange new hardware. To seek out new software and new applications. To boldly go where no Marc has gone before! (/This email is digitally signed. My public key for sending encrypted email to me can be found at - https://keys.openpgp.org/search?q=marc@marcchamberlin.com or just ask me for it and I will send it to you as an attachment. If you don't understand, no worries, just ignore it and/or ask me to explain it further./)
On 24/05/2021 22.33, Marc Chamberlin wrote:
On 5/24/21 2:15 AM, Carlos E. R. wrote:
Well, there is the question why are you using samba instead of nfs, because you have not mentioned "windows".
Thanks everyone for all your suggestions, and yes I should have mentioned that I also have Windoz computers on my network as well and I
want to share all my file systems, including /, with those systems as well. I guess I thought that was implicit in saying I am using Samba but on re-reading my email I can see the confusion. It is hard to be sure I
have covered all the bases when composing an email like this. Sorry for
the confusion.
Can those windows machines then write to "/" on Linux machines? That could be a propagation hole for an attack.
(/This email is digitally signed. My public key for sending encrypted email to me can be found at - https://keys.openpgp.org/search?q=marc@marcchamberlin.com or just ask me for it and I will send it to you as an attachment. If you don't understand, no worries, just ignore it and/or ask me to explain it further./)
I like this footer :-) But you don't separate the signature with a standard signature separator. -- Cheers / Saludos, Carlos E. R. (from 15.2 x86_64 at Telcontar)
On 2021-05-24 4:33 p.m., Marc Chamberlin wrote:
On 5/24/21 2:15 AM, Carlos E. R. wrote:
Well, there is the question why are you using samba instead of nfs, because you have not mentioned "windows".
Thanks everyone for all your suggestions, and yes I should have mentioned that I also have Windoz computers on my network as well and I want to share all my file systems, including /, with those systems as well. I guess I thought that was implicit in saying I am using Samba but on re-reading my email I can see the confusion. It is hard to be sure I have covered all the bases when composing an email like this. Sorry for the confusion.
I like NFS also, have used it in the past, but stopped when I realized it does not work for Windoz systems and I wanted a one-shop solution. I will set it up again for the "Linux - Linux" systems and try it out, but that costs double maintenance.
Well it seems Windows-10 comes with an NFS option https://graspingtech.com/mount-nfs-share-windows-10/ and https://docs.microsoft.com/en-us/windows-server/storage/nfs/nfs-overview#win... Though it also seems NFS is available for earlier version as well. I recall back when trying a couple of free and/or evaluation versions. Yes, I've used SAMBA for shares. I once worked at a national-level telco that used Samba on a couple of big iron HP machines to support home/shares/p & projects and resources because they were (a) more reliable than any intel based Windows server from both a HW and SW POV; (b) they were more scalable and maintained a high level of performance under heavy load; and (c) they were more consistently manageable. Point (c) proved interesting and controversial. While in theory there are more Windows techies and UNIX (Read: HP/UX) techies around, there is a difference in attitude. Somewhere I have an reference to an article on this. part of it was that *NIX people learn 'generalities' whereas the Windows people know how to operate a specific GUI and need 'retraining' with each new release and new layout GUI. Which is how the Windows Ecosystem makes its money. (And why Windows is so popular -- there's more money to be made with it.) I've had a few instances in my career where the fact that "Its just *NIX" was all that mattered. Contrariwise there are still some managers and recruiters that are brand obsessed "Oh, you only used SUSE and not Redhat". Well suck it up! It's not SUN either so how can it be real UNIX? -- “Reality is so complex, we must move away from dogma, whether it’s conspiracy theories or free-market,” -- James Glattfelder. http://jth.ch/jbg
On 5/24/21 2:22 AM, Marc Chamberlin wrote:
Hello, I am running a number of OpenSuSE systems on my SOHO network at home and I keep hitting a small but annoying problem that I wonder if there is a better workaround/solution to. This occurs on all versions of OpenSuSE - 15.0, 15.1, and 15.2. I am not running 15.3 yet. All systems are x64 architecture.
I have (on a temporary basis) just created a share, and don't recall every having any problems with it. Make sure you create your smbuser (smbpasswd -a) and give access only to that users. I used to create a "config" share as: [config] browseable = No comment = %h Config force group = root force user = root path = / read only = No valid users = david Then from both Linux and Windows the "config" share isn't browseable (intentionally), but can be accessed via cifs or server\\config I won't even mention the unwiseness of doing this -- you are the master of your box. (I would just say enable this the least you can) After adding the share, always run "testparm" to confirm your smb.conf has no errors. No complaint from samba 4.14.4-1 -- David C. Rankin, J.D.,P.E.
participants (6)
-
Anton Aylward -
Carlos E. R. -
David C. Rankin -
Felix Miata -
Marc Chamberlin -
Per Jessen