Bug 860154 - Cannot enable 'exec' mount option when mounting CIFS directories using kerberos
Summary: Cannot enable 'exec' mount option when mounting CIFS directories using kerberos
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: cifs-utils
Version: 17
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
Assignee: Jeff Layton
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-09-25 06:42 UTC by Stefan Walter
Modified: 2014-06-18 07:42 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2012-12-20 16:28:25 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Stefan Walter 2012-09-25 06:42:31 UTC
Description of problem:

At our site we use CIFS for home directories and kerberos for mounting them.
Basically root runs a command similar to the following:

# mount -t cifs -o nobrl,suid,exec,mapchars,mfsymlinks,noserverino,file_mode=0700,dir_mode=0700,user=johndoe,uid=12345,cruid=12345,gid=12345,sec=krb5 //server/johndoe /mnt/johndoe

The 'exec' mount option is always ignored and the share is mounted noexec. For
home directories this is pretty inconvenient if you have your own software
in there.

The mount command should be changed in a way that root can actually mount
a directory with the 'exec' mount option. 


Version-Release number of selected component (if applicable):

kernel-3.5.3-1.fc17.x86_64
cifs-utils-5.6-1.fc17.x86_64


How reproducible:

Always.


Steps to Reproduce:
1. Set up a Samba server with kerberos authentication
2. Add a user 'johndoe'
3. Try to mount the share 'johndoe' as root using a command line similar to the one above.
  

Actual results:

Share is mounted 'noexec'


Expected results:

Share should be mounted 'exec' since the command is run by root.


Additional info:

The same mount command line works fine on our RHEL 6.X systems.

In the man page of mount.cifs it says (also note the typo):

       This command may be used only by root, unless
       installed setuid, in which case the noeexec and nosuid
       mount flags are enabled.

We do not have the suid bit set though:

# ls -la /sbin/mount.cifs
-rwxr-xr-x. 1 root root 36552 Jul 26 17:43 /sbin/mount.cifs

Comment 1 Jeff Layton 2012-09-25 10:55:57 UTC
We can chalk this one up to bad documentation.

The problem is is the user of 'user=' as a mount option which confuses /bin/mount into thinking that this is a non-superuser mount. It then adds a number of mount options to nerf this mount (including noexec). If you change that option to read "username=johndoe" then it should work just fine.

I've proposed a patch upstream to clarify this in the mount.cifs manpage:

    http://article.gmane.org/gmane.linux.kernel.cifs/7039

...it should make the next release assuming no one complains.

Comment 2 Jeff Layton 2012-09-25 11:07:38 UTC
Also, cc'ing Karel Zak. Is the above a regression in /bin/mount? Should it be treating the "user=" option differently from "user"?

Comment 3 Stefan Walter 2012-09-25 11:33:55 UTC
With 'username=...' it works like a charm. Thanks a lot for the quick response!

Comment 4 Karel Zak 2012-10-01 12:38:40 UTC
(In reply to comment #2)
> Also, cc'ing Karel Zak. Is the above a regression in /bin/mount? Should it
> be treating the "user=" option differently from "user"?

This problem should be already fixed in f18 and upstream:

commit e90e7401d0c318c9dac4a0204e2bca86949b1d32
Author: Karel Zak <kzak>
Date:   Thu Jun 14 14:19:26 2012 +0200

    libmount: don't use nosuid,noexec,nodev for cifs user=foo


.. if you want to see it backported to f17 then clone/reassign this bug to util-linux. Thanks.

Comment 5 Jeff Layton 2012-10-03 18:37:46 UTC
Nah, I think it's ok. I'll just plan to pull in the documentation patch for cifs-utils soon and take it from there.

Comment 6 Jeff Layton 2012-10-08 11:02:11 UTC
Manpage patch pushed to mainline. I'll plan to pull it into f17 once I cut a new upstream release, which should be real soon now...

Comment 7 Fedora Update System 2012-10-10 01:23:01 UTC
cifs-utils-5.7-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/cifs-utils-5.7-1.fc17

Comment 8 Fedora Update System 2012-10-11 00:55:27 UTC
Package cifs-utils-5.7-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing cifs-utils-5.7-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-15827/cifs-utils-5.7-1.fc17
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2012-12-20 16:28:29 UTC
cifs-utils-5.7-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.