Setuid bit always set on Vista mount
in [Samba]
|
Prev: [Samba] Problem with Win 7 and Samba 3.3.10 PDC (Trust Relationship Between Workstation and Domain Failed)
Next: [Samba] SAMBA CUSTOM LOGGING
From: Adam on 15 Feb 2010 13:00 post your smb.conf Robert Edgar wrote: > Files on my Vista mount always have the S mode (setgid bit?) set according > to ls -l. This is a security hole and causes other problems. I can't clear > the bit with chmod; in fact the results of doing chmod don't make any sense > to me (I'll be glad to provide examples). Typical files show as -rwxrwSrwx, > though not all. The smb.conf file has create mask 0666 and directory mask > 0777 various places. I inherited this smb.conf so am reluctant to mess with > it since I don't know what I'm doing. > Thanks for any advice. > Robert. > > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Jeff Layton on 15 Feb 2010 13:20
On Fri, 12 Feb 2010 14:39:05 -0800 "Robert Edgar" <bob(a)drive5.com> wrote: > Files on my Vista mount always have the S mode (setgid bit?) set according > to ls -l. This is a security hole and causes other problems. I can't clear > the bit with chmod; in fact the results of doing chmod don't make any sense > to me (I'll be glad to provide examples). Typical files show as -rwxrwSrwx, > though not all. The smb.conf file has create mask 0666 and directory mask > 0777 various places. I inherited this smb.conf so am reluctant to mess with > it since I don't know what I'm doing. > Thanks for any advice. > Robert. > > I assuming this is using Linux CIFS? Older Linux CIFS versions set the file_mode to 02767. That has the setgid bit set, but the group execute bit is cleared. That's not really a security issue -- that combination is supposed to signal to the kernel that it should enforce mandatory locking. The problem though is that we don't really want or need the kernel to enforce that. Thus, more recent Linux kernel versions set the mode to something a bit more sane (0755, IIRC). You can override that on the one you're running by setting the file_mode= mount option (see the mount.cifs manpage). -- Jeff Layton <jlayton(a)samba.org> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |