Bug 861862 - mount - user option does not imply noexec, nosuid, and nodev
mount - user option does not imply noexec, nosuid, and nodev
Product: Fedora
Classification: Fedora
Component: cifs-utils (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jeff Layton
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2012-10-01 03:49 EDT by Marcus Moeller
Modified: 2014-06-18 03:42 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-10-01 09:18:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Marcus Moeller 2012-10-01 03:49:15 EDT
Description of problem:
In previous versions of mount, setting the user parameter automatically implied 'noexec,nosuid,nodev' which is no longer the case. The man page still lists this feature, so mount should ether imply these settings again or the note should be removed from man(8) mount.

Version-Release number of selected component (if applicable):
Comment 1 Karel Zak 2012-10-01 07:03:36 EDT
Do you have any example? It works for me:

$ findmnt --fstab /mnt/test
/mnt/test /dev/sdb1 auto   defaults,user,noauto

$ mount /mnt/test

$ findmnt --kernel /mnt/test       
/mnt/test /dev/sdb1 ext2   rw,nosuid,nodev,noexec,relatime,stripe=32
Comment 2 Marcus Moeller 2012-10-01 07:14:06 EDT
mount.cifs  -o nobrl,mfsymlinks,noserverino,file_mode=0700,dir_mode=0700,user,uid=myuid,cruid=myuid,gid=mygid,sec=krb5 //my/cifs/dfs/mount /mnt/

//my/cifs/dfs/mount on /mnt type cifs (rw,relatime,vers=1.0,sec=krb5,cache=loose,unc=\\..,username=myuser,uid=myuid,forceuid,gid=mygid,forcegid,addr=...,file_mode=0700,dir_mode=0700,nounix,nobrl,mfsymlinks,rsize=61440,wsize=65536,actimeo=1)
Comment 3 Karel Zak 2012-10-01 07:57:34 EDT
(In reply to comment #2)
> mount.cifs 

This is binary from cifs-utils, mount(8) only executes this helper program. Try

 LIBMOUNT_DEBUG=0xffff mount /mnt

to see more details, for example:

 32398: libmount:      CXT: [0x226d980]: mount: generate helper mount options
 32399: libmount:      CXT: [0x226d980]: argv[0] = "/sbin/mount.cifs"
 32399: libmount:      CXT: [0x226d980]: argv[1] = "//sr.net.home/kzak"
 32399: libmount:      CXT: [0x226d980]: argv[2] = "/mnt/kzak"
 32399: libmount:      CXT: [0x226d980]: argv[3] = "-o"
 32399: libmount:      CXT: [0x226d980]: argv[4] = "rw,noexec,nosuid,nodev,username=SRGROUP/kzak,user"

BTW, the mount.<type> helpers have to interpret and verify (against fstab) the 'user' mount option independently on command line. We cannot follow command line in suid binaries.

Note that on my system (f16) /sbin/mount.cifs is not suid and it returns
"This program is not installed setuid root -  "user" CIFS mounts not supported."
Comment 4 Jeff Layton 2012-10-01 08:31:03 EDT
(In reply to comment #2)
> mount.cifs  -o
> nobrl,mfsymlinks,noserverino,file_mode=0700,dir_mode=0700,user,uid=myuid,
> cruid=myuid,gid=mygid,sec=krb5 //my/cifs/dfs/mount /mnt/
> //my/cifs/dfs/mount on /mnt type cifs
> (rw,relatime,vers=1.0,sec=krb5,cache=loose,unc=\\..,username=myuser,
> uid=myuid,forceuid,gid=mygid,forcegid,addr=...,file_mode=0700,dir_mode=0700,
> nounix,nobrl,mfsymlinks,rsize=61440,wsize=65536,actimeo=1)

The "user" option is really only supposed to be used with fstab as a way to designate a mount as mountable by an unprivileged user. Traditionally,
/bin/mount has interpreted that option for us, and added those options to the
option string before calling the mount helper.

Executing the mount.cifs helper directly is not really supported. What are you trying to achieve by running it directly?
Comment 5 Marcus Moeller 2012-10-01 09:18:35 EDT
@Jeff okay, thanks for pointing that out. We will set those options manually, then. It just was a fast way to set a bunch of required options at once.

Note You need to log in before you can comment on or make changes to this bug.