====== Samba user shares broken on Fedora 12 ====== If you're using Samba user shares on your system (that is, shares that users can mount without being root), you were probably greeted with the following message for the last several weeks, when trying to mount a share: <code console> $ mount nas This mount.cifs program has been built with the ability to run as a setuid root program disabled. mount.cifs has not been well audited for security holes. Therefore the Samba team does not recommend installing it as a setuid root program. </code> The Samba team does not //recommend// installing it as a setuid root program ? Well, in fact, the samba team unilaterally decided to **prevent** you to run <color red>''mount.cifs''</color> and <color red>''umount.cifs''</color> with setuid (which is needed for user mounts to work), and there's nothing you can do about it without recompiling. They probably decided this after [[http://www.samba.org/samba/security/CVE-2009-2948.html|CVE-2009-2948]]. The problem is that on my home nework, I **need** the ability to mount Samba shares without being root, and I don't really care for the above security bug. So, while they audit their code (nobody knows how many time it'll take), I decided to downgrade my Samba version from the updated one (3.4.5 at the time of this writing) to the one found on the Fedora 12 stock install (3.4.2). Here's how to do it: <code console> # yum downgrade samba-client samba-common samba-winbind samba-winbind-clients </code> Now, let's try to mount the share: <code console> $ mount nas mount error(1): Operation not permitted Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) </code> Okay, the binaries are not setuid, let's do it ourselves: <code console> # chmod 4755 /sbin/mount.cifs /sbin/umount.cifs </code> And retry: <code console> $ mount nas && echo mount: success ; umount nas && echo umount: success mount: success umount: success </code> It works ! Now, last thing, don't forget to prevent <color red>''yum''</color> from updating your Samba again, add the following line to your <color green>''/etc/yum.conf''</color> : <file> exclude=samba-* </file> When the Samba guys will have audited their code and allow again setuid on the CIFS mount utils, just remove the exclude line from your <color green>''/etc/yum.conf''</color>, and run <color red>''yum update''</color>, as usual. **EDIT:** I've looked at the source code of the latest Samba release (3.5.2, released on April, 7th), and the ability to use setuid on the CIFS mount utility is still disabled by default. There is a <color purple>''#define''</color> in the source code that enables or disables this functionality, so it should be up to the Samba maintainers of each Linux distro to decide. The 'fix' is pretty simple, just change the following line : <code c> #define CIFS_DISABLE_SETUID_CHECK 0 </code> to: <code c> #define CIFS_DISABLE_SETUID_CHECK 1 </code> in the <color green>client/mount.cifs.c</color> source file, and recompile. The above line is preceded with the following comment from the developers: <code c> /* * mount.cifs has been the subject of many "security" bugs that have arisen * because of users and distributions installing it as a setuid root program. * mount.cifs has not been audited for security. Thus, we strongly recommend * that it not be installed setuid root. To make that abundantly clear, * mount.cifs now check whether it's running setuid root and exit with an * error if it is. If you wish to disable this check, then set the following * #define to 1, but please realize that you do so at your own peril. */ </code> This is probably what is scaring our maintainers... I'm not that confident the functionality will come back by itself anymore. Will we have to build alternative rpms ourselves, with <color purple>CIFS_DISABLE_SETUID_CHECK</color> set to 1 ? Meanwhile, the issue is spreading, Mandriva cooker is now [[http://forum.mandriva.com/viewtopic.php?t=127386|affected too]].

 
blog/samba_user_shares_broken_on_fedora_12.txt · Last modified: 28/04/2010 09:16 by speed47 · []
Recent changes RSS feed Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki