Samba user shares broken on Fedora 12

If you’re using Samba user shares on your system (that is, shares that users can mount without being root), you were probably greeted with the following message for the last several weeks, when trying to mount a share:

user$ mount nas
This mount.cifs program has been built with the ability to run as a setuid root program disabled.
mount.cifs has not been well audited for security holes. Therefore the Samba team does not recommend installing it as a setuid root program.

The Samba team does not recommend installing it as a setuid root program ? Wait, no, the samba team unilaterally decided to prevent you to run mount.cifs and umount.cifs with setuid (which is needed for user mounts to work), and there’s nothing you can do about it without recompiling.

They probably decided this after CVE-2009-2948. The problem is that on my home nework, I need the ability to mount Samba shares without being root, and I don’t really care for the above security bug. So, while they audit their code (nobody knows how many time it’ll take), I decided to downgrade my Samba version from the updated one (3.4.5 at the time of this writing) to the one found on the Fedora 12 stock install (3.4.2). Here’s how to do it:

root# yum downgrade samba-client samba-common samba-winbind samba-winbind-clients

Now, let’s try to mount the share:

user$ mount nas
mount error(1): Operation not permitted
Refer to the mount.cifs(8) manual page (e.g. man mount.cifs)

Okay, the binaries are not setuid, let’s do it ourselves:

root# chmod 4755 /sbin/mount.cifs /sbin/umount.cifs

And retry:

user$ mount nas && echo mount: success ; umount nas && echo umount: success
mount: success
umount: success

It works ! Now, last thing, don’t forget to prevent yum from updating your Samba again, add the following line to your /etc/yum.conf :

exclude=samba-*

When the Samba guys will have audited their code and allow again setuid on the CIFS mount utils, just remove the exclude line from your /etc/yum.conf, and run yum update, as usual.

EDIT: I’ve looked at the source code of the latest Samba release (3.5.2, released on April, 7th), and the ability to use setuid on the CIFS mount utility is still disabled by default. There is a ”#define” in the source code that enables or disables this functionality, so it should be up to the Samba maintainers of each Linux distro to decide. The ‘fix’ is pretty simple, just change the following line :

#define CIFS_DISABLE_SETUID_CHECK 0

to:

#define CIFS_DISABLE_SETUID_CHECK 1

in the client/mount.cifs.c source file, and recompile. The above line is preceded with the following comment from the developers:

/*
* mount.cifs has been the subject of many "security" bugs that have arisen
* because of users and distributions installing it as a setuid root program.
* mount.cifs has not been audited for security. Thus, we strongly recommend
* that it not be installed setuid root. To make that abundantly clear,
* mount.cifs now check whether it's running setuid root and exit with an
* error if it is. If you wish to disable this check, then set the following
* #define to 1, but please realize that you do so at your own peril.
*/

This is probably what is scaring our maintainers… I’m not that confident the functionality will come back by itself anymore. Will we have to build alternative rpms ourselves, with CIFS_DISABLE_SETUID_CHECK set to 1 ?

Meanwhile, the issue is spreading, Mandriva cooker is now affected too.