RE: [opensuse] smbfs vs. cifs mounts to samba shares
-----Original Message----- From: David C. Rankin [mailto:drankinatty@suddenlinkmail.com] Sent: Wednesday, May 07, 2008 3:28 PM To: suse Subject: Re: [opensuse] smbfs vs. cifs mounts to samba shares
<snip>
The noacl, noperm parameters tells the client side to let the server side handle setting/checking of permissions and ownership, which is what you want for a samba server, the way its always been, and the only way that really works for most environments.
I would suggest a closer look at the 'man mount.cifs' comments for noperm, as this could be a security issue in a multiuser environment. Though giving access via fstab does kind of make things global on the client. (For a per user option there is pam.mount).
I have being using the uid and guid option with setuids for some time without issues (except a possible latency issue). In my case uid and gid are probably redundant but setuids sets up a form of dynamic local permission cache.
Look at man mount.cifs again for more info...
and
http://pserver.samba.org/samba/ftp/cifs-cvs/linux-cifs-client-guide.pdf
may help...
WARNING, WARNING, the use of ,noperm will give root access to all cifs mounted shares mounted with the ,noperm options. A stray chmod -R or the like above the mount point will work all the way down the mounted client as well... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Thanks David. So what is a better way to mount with cifs, instead of resorting back to smbfs? Use noacl and not noperm? Best regards, ~James -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James D. Parra wrote:
-----Original Message----- From: David C. Rankin [mailto:drankinatty@suddenlinkmail.com] WARNING, WARNING, the use of ,noperm will give root access to all cifs mounted shares mounted with the ,noperm options. A stray chmod -R or the like above the mount point will work all the way down the mounted client as well... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks David. So what is a better way to mount with cifs, instead of resorting back to smbfs? Use noacl and not noperm?
Best regards,
~James
James, That is an excellent question, to which, I'll give a very straight forward answer. "I don't know." Since all I have to worry about is windows users, that question doesn't hit me from a user perspective. Of course, I use cifs extensively for myself, but I do use the ,noperm. That's how I found out that a stray recursive command above the mount point can really screw up the entire mounted drive. I just use brief scripts to mount drives and use .bashrc to do it. There is no reason you couldn't have them execute on user login. The script I use is: #!/bin/bash device="/mnt/nirvana-cfg" if mount | grep -q "on ${device} type"; then echo "${device} already mounted" else mount.cifs //nirvana/config /mnt/nirvana-cfg/ -o username=david,uid=1000,password=yourpassword,noperm fi device="/mnt/nirvana" if mount | grep -q "on ${device} type"; then echo "${device} already mounted" else mount.cifs //nirvana/samba /mnt/nirvana/ -o username=david,uid=1000,password=yourpassword,noperm fi device="/mnt/nirvana-david" if mount | grep -q "on ${device} type"; then echo "${device} already mounted" else mount.cifs //nirvana/david /mnt/nirvana-david/ -o username=david,uid=1000,password=yourpassword,noperm fi exit 0 You can remove the noperm and still get access that provides better protection against an accidental stray command. Fortunately, that is as far as I have had to dive into the mess. -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 David C. Rankin wrote:
James D. Parra wrote:
-----Original Message----- From: David C. Rankin [mailto:drankinatty@suddenlinkmail.com] WARNING, WARNING, the use of ,noperm will give root access to all cifs mounted shares mounted with the ,noperm options. A stray chmod -R or the like above the mount point will work all the way down the mounted client as well... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks David. So what is a better way to mount with cifs, instead of resorting back to smbfs? Use noacl and not noperm?
Best regards,
~James
James,
That is an excellent question, to which, I'll give a very straight forward answer. "I don't know." Since all I have to worry about is windows users, that question doesn't hit me from a user perspective. Of course, I use cifs extensively for myself, but I do use the ,noperm. That's how I found out that a stray recursive command above the mount point can really screw up the entire mounted drive. I just use brief scripts to mount drives and use .bashrc to do it. There is no reason you couldn't have them execute on user login. The script I use is:
#!/bin/bash
device="/mnt/nirvana-cfg" if mount | grep -q "on ${device} type"; then echo "${device} already mounted" else mount.cifs //nirvana/config /mnt/nirvana-cfg/ -o username=david,uid=1000,password=yourpassword,noperm fi
<script snipped>
You can remove the noperm and still get access that provides better protection against an accidental stray command. Fortunately, that is as far as I have had to dive into the mess.
Firstly, personally I would not explicitly place the credentials on the mount (or mount.cifs) command line. Below is something I use that has worked for me so far without any samba related problems, which may give some ideas. (BTW This is part of a rather longer batch script that does a few mounts and other things, which is why there is an error count and the mount command parameters are defined in variables and are exported). export CIFMOUNT="-t cifs -o credentials=${HOME}/gtslog,uid=${USER},gid=users,setuids,rw" export CIFSERVER="//GTSDual.gtshome/" if mount ${CIFMOUNT} ${CIFSERVER}homes ${HOME}/GTSDual then echo 'mount GTSDual OK' echo '================' else echo 'mount GTSDual failed' echo "++++++++++++++++++++ Fail Count: $((++CONFAIL))" fi something similar could be introduced as part of a users initial login sequence.... This should be OK if the uid and gid are synchronised and the samba resource supports CIFS Extended Unix extensions (and you sort out one way or another mounts security requirements). In an ideal world one should not be in the position that *NIX uids and gids are not synchronised if it was originally intended to deploy networked resources (unfortunately it is not an ideal world, and in the M$ world the opposite is the case and SID references are preferred to be different on each workstation). - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFIIvakasN0sSnLmgIRAqZkAJwNycj77D7LWdRAvL/GKtIj3Qg69wCguZBT 3qA7mvX2w7VLjPCtsDkWZ+Y= =t9uU -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
David C. Rankin -
G T Smith -
James D. Parra