This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 861862 - mount - user option does not imply noexec, nosuid, and nodev
mount - user option does not imply noexec, nosuid, and nodev
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: cifs-utils (Show other bugs)
18
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Jeff Layton
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-10-01 03:49 EDT by Marcus Moeller
Modified: 2014-06-18 03:42 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-10-01 09:18:35 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Marcus Moeller 2012-10-01 03:49:15 EDT
Description of problem:
In previous versions of mount, setting the user parameter automatically implied 'noexec,nosuid,nodev' which is no longer the case. The man page still lists this feature, so mount should ether imply these settings again or the note should be removed from man(8) mount.

Version-Release number of selected component (if applicable):
util-linux-2.22-1.fc18.x86_64
Comment 1 Karel Zak 2012-10-01 07:03:36 EDT
Do you have any example? It works for me:

$ findmnt --fstab /mnt/test
TARGET    SOURCE    FSTYPE OPTIONS
/mnt/test /dev/sdb1 auto   defaults,user,noauto

$ mount /mnt/test

$ findmnt --kernel /mnt/test       
TARGET    SOURCE    FSTYPE OPTIONS
/mnt/test /dev/sdb1 ext2   rw,nosuid,nodev,noexec,relatime,stripe=32
Comment 2 Marcus Moeller 2012-10-01 07:14:06 EDT
mount.cifs  -o nobrl,mfsymlinks,noserverino,file_mode=0700,dir_mode=0700,user,uid=myuid,cruid=myuid,gid=mygid,sec=krb5 //my/cifs/dfs/mount /mnt/

//my/cifs/dfs/mount on /mnt type cifs (rw,relatime,vers=1.0,sec=krb5,cache=loose,unc=\\..,username=myuser,uid=myuid,forceuid,gid=mygid,forcegid,addr=...,file_mode=0700,dir_mode=0700,nounix,nobrl,mfsymlinks,rsize=61440,wsize=65536,actimeo=1)
Comment 3 Karel Zak 2012-10-01 07:57:34 EDT
(In reply to comment #2)
> mount.cifs 

This is binary from cifs-utils, mount(8) only executes this helper program. Try

 LIBMOUNT_DEBUG=0xffff mount /mnt

to see more details, for example:

 32398: libmount:      CXT: [0x226d980]: mount: generate helper mount options
 32399: libmount:      CXT: [0x226d980]: argv[0] = "/sbin/mount.cifs"
 32399: libmount:      CXT: [0x226d980]: argv[1] = "//sr.net.home/kzak"
 32399: libmount:      CXT: [0x226d980]: argv[2] = "/mnt/kzak"
 32399: libmount:      CXT: [0x226d980]: argv[3] = "-o"
 32399: libmount:      CXT: [0x226d980]: argv[4] = "rw,noexec,nosuid,nodev,username=SRGROUP/kzak,user"

BTW, the mount.<type> helpers have to interpret and verify (against fstab) the 'user' mount option independently on command line. We cannot follow command line in suid binaries.

Note that on my system (f16) /sbin/mount.cifs is not suid and it returns
"This program is not installed setuid root -  "user" CIFS mounts not supported."
Comment 4 Jeff Layton 2012-10-01 08:31:03 EDT
(In reply to comment #2)
> mount.cifs  -o
> nobrl,mfsymlinks,noserverino,file_mode=0700,dir_mode=0700,user,uid=myuid,
> cruid=myuid,gid=mygid,sec=krb5 //my/cifs/dfs/mount /mnt/
> 
> //my/cifs/dfs/mount on /mnt type cifs
> (rw,relatime,vers=1.0,sec=krb5,cache=loose,unc=\\..,username=myuser,
> uid=myuid,forceuid,gid=mygid,forcegid,addr=...,file_mode=0700,dir_mode=0700,
> nounix,nobrl,mfsymlinks,rsize=61440,wsize=65536,actimeo=1)

The "user" option is really only supposed to be used with fstab as a way to designate a mount as mountable by an unprivileged user. Traditionally,
/bin/mount has interpreted that option for us, and added those options to the
option string before calling the mount helper.

Executing the mount.cifs helper directly is not really supported. What are you trying to achieve by running it directly?
Comment 5 Marcus Moeller 2012-10-01 09:18:35 EDT
@Jeff okay, thanks for pointing that out. We will set those options manually, then. It just was a fast way to set a bunch of required options at once.

Note You need to log in before you can comment on or make changes to this bug.