Bug 10453 - Credentials file not submitted when accessing share with mount.cifs setuid
Summary: Credentials file not submitted when accessing share with mount.cifs setuid
Status: RESOLVED INVALID
Alias: None
Product: CifsVFS
Classification: Unclassified
Component: user space tools (show other bugs)
Version: 2.6
Hardware: x64 Linux
: P5 normal
Target Milestone: ---
Assignee: Jeff Layton
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-02-18 03:57 UTC by jbkt23
Modified: 2015-09-01 11:02 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description jbkt23 2014-02-18 03:57:20 UTC 
Distro: Fc20, CIfS version: 2.2, Samba server: SL linux 6.1 running samba version 3.6

Attempting to mount share on server results in request for password even though credentials file is provided on the command line as per following:

$ /usr/local/sbin/mount.cifs //sambaserv/k-rdat ~/k-rdat/ -v -o credentials=/home/jbk/.samba/.jbk
Password for jbk@//sambaserv/k-rdat: ***********
mount.cifs kernel mount options: ip=10.251.227.4,unc=\\sambaserv\k-rdat,uid=501,gid=501,user=jbk,pass=********

I have created the requisite entry in fstab:

//sambaserv/k-rdat /home/jbk/k-rdat    cifs    user 0 0

Using the client utility I am able to access the share without a password challenge.

$ smbclient //sambaserv/k-rdat -d 3 -A ~/.samba/.jbk
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
params.c:pm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
added interface enp0s25 ip=10.251.227.9 bcast=10.255.255.255 netmask=255.0.0.0
Client started (version 4.1.3).
tdb(/var/lib/samba/gencache.tdb): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: Permission denied
tdb(/var/lib/samba/gencache.tdb): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: No such file or directory
tdb(/var/lib/samba/gencache.tdb): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: Permission denied
tdb(/var/lib/samba/gencache.tdb): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: No such file or directory
resolve_lmhosts: Attempting lmhosts lookup for name sambaserv<0x20>
resolve_lmhosts: Attempting lmhosts lookup for name sambaserv<0x20>
resolve_wins: WINS server resolution selected and no WINS servers listed.
resolve_hosts: Attempting host lookup for name sambaserv<0x20>
tdb(/var/lib/samba/gencache.tdb): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: Permission denied
tdb(/var/lib/samba/gencache.tdb): tdb_open_ex: could not open file /var/lib/samba/gencache.tdb: No such file or directory
Connecting to 10.251.227.4 at port 445
Doing spnego session setup (blob length=42)
got OID=1.3.6.1.4.1.311.2.2.10
got principal=NONE
Got challenge flags:
Got NTLMSSP neg_flags=0x608a8215
NTLMSSP: Set final flags:
Got NTLMSSP neg_flags=0x60088215
NTLMSSP Sign/Seal - Initialising with flags:
Got NTLMSSP neg_flags=0x60088215
Domain=[KR] OS=[Unix] Server=[Samba 3.6.9-167.el6_5]
smb: \> exit
Comment 1 Jeff Layton 2015-09-01 11:02:08 UTC 
This is expected behavior. mount.cifs ignores options passed in from the command line via "-o" when run by an unprivileged user. If you add the "credentials=" option to the options string in /etc/fstab then it should be respected.

FWIW, running mount.cifs directly as a setuid program is not recommended at all. There are likely security issues in doing so.