Bug 2094785 - "user" CIFS mount not supported
Summary: "user" CIFS mount not supported
Keywords:
Status: NEW
Alias: None
Product: Fedora
Classification: Fedora
Component: cifs-utils
Version: 39
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Orphan Owner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-06-08 09:43 UTC by Stephane Travostino
Modified: 2023-12-11 14:33 UTC (History)
12 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-04-26 01:15:12 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Stephane Travostino 2022-06-08 09:43:15 UTC
Description of problem:

CIFS volumes can't be mounted as a normal user. The common suggestion is to add the setuid bit to mount.cifs, but this isn't possible to do on immutable distributions like Silverblue.


Version-Release number of selected component (if applicable):

cifs-utils-6.15-1.fc36.x86_64

How reproducible:

Always.

Steps to Reproduce:
1. Configure a user-mountable / systemd automount CIFS volume
2. Try to mount it from Nautilus

Additional info:

I'm using the following fstab line for my volume:

//cupboard/data         /mnt/cupboard                   cifs    credentials=/etc/samba/cupboard.credentials,uid=1000,gid=1000,rw,noauto,x-systemd.automount,x-systemd.mount-timeout=30,_netdev,x-gvfs-show 0 0

The x-systemd.automount is recommended on multiple guides to delay mounting the volume until first accessed, instead of slowing down the system boot process.

See also: https://ask.fedoraproject.org/t/suddenly-user-cifs-mounts-not-supported/22785/4

Comment 1 Ben Cotton 2023-04-25 17:22:54 UTC
This message is a reminder that Fedora Linux 36 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 36 on 2023-05-16.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '36'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 36 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 2 Fedora Admin user for bugzilla script actions 2023-04-26 00:06:32 UTC
This package has changed maintainer in Fedora. Reassigning to the new maintainer of this component.

Comment 3 Ronnie Sahlberg 2023-04-26 01:15:12 UTC
This is addressed in fedora 38 as part of cifs-utils 7.0

Comment 4 Michael Monreal 2023-05-29 12:06:37 UTC
As far as I can see this is not fixed. I am running cifs-utils-7.0-1.fc38.x86_64 on Fedora 38. Maybe this is fixed for Fedora Workstation but not Silverblue (which the original bug reporter mentioned as well)?

Comment 5 Pablo Alonso Rodriguez 2023-09-18 13:54:55 UTC
Tested on the same version than Michael but in regular Fedora 38. It was not fixed, I had to `chmod u+s /sbin/mount.cifs` as workaround.

This machine was upgraded from earlier Fedora versions, not sure if this might be a factor. But if it is a matter of upgrading, permissions should be fixed during upgrade.

Comment 6 RafneQ 2023-12-09 16:09:57 UTC
Hi,this issue is still present on fresh install of Fedora 39 (Workstation) with package version cifs-utils-7.0-2.fc39.x86_64.

As it was reported above, doing for example mount -t cifs [share] [mount_point] [options]... as a normal user is not possible and terminal throws error:

This program is not installed setuid root -  "user" CIFS mounts not supported.

Comment 7 Alexander Bokovoy 2023-12-11 11:06:56 UTC
There is no plan to enable setuid root for mount.cifs by default. We consider this a security issue and as such, a decision to enable user-initiated mounts should be part of an explicit administrator activity. On Fedora workstations GNOME provides user mounts via libgvfs interface which avoids using kernel cifs driver and therefore does not need mount.cifs at all.

Since Fedora 15, a general policy Fedora has is to not use setuid bits: https://fedoraproject.org/wiki/Features/RemoveSETUID

We may look into adding `%cap(....)` statement to mount.cifs definition in the spec file to cover required capabilities automatically. 

Lukas, any comment here from SELinux point of view?

Comment 8 Lukas Vrabec 2023-12-11 14:33:51 UTC
For both unconfined(every Linux user is unconfined by default) there are allow rules to execute mount.cifs binary file and setuid capability. Confined users can execute mount.cifs binary file but doesn't have setuid capability, so user would need to enable it if confined users are configured.   


By default SELinux should not block it, however I fully support the statement to avoid introducing setuid bits on new binary files. I believe the problem should be discussed with Silverblue team, to get their input how such use-cases should be implemented. 

Thanks,
Lukas.


Note You need to log in before you can comment on or make changes to this bug.