smbmnt must be installed suid root...

Rick Stevens rstevens at vitalstream.com
Fri Feb 4 01:08:23 UTC 2005 

Mark Knecht wrote:
> Hi,
>    I am able to setup an NFS mount in fstab so that a user can mount
> it but I cannot do the same for an smbfs mount. So far I always get a
> message back saying:
> 
> smbmnt must be installed suid root 
> for direct user mounts (500,500)
> smbmnt failed: 1
> 
> I did some Googling and see this is a fairly common post, but it seems
> that the agreed upon solution is not. Some say that changing
> permissions on smbmnt is a bad thing to do as it raises security
> issues. What security issues?

Any command that's set suid root can be dangerous, as anyone can execute
the command AND the command, when run, has root permissions.  That 
wouldn't necessarily be that dangerous as smbmnt is transient (it's 
invoked, does the mount, then goes away) so the window of vulnerability
is relatively small.

>                               Do they apply to a home network desktop
> system to any great extent. Is there some other way to do this that
> will accomplish what I want?

Not really.

>    Here's the line from fstab: (Line break by hand)
> 
> //GIGASTUDIO/16-Bit-loop /mnt/GSt-Gigs          smbfs
>    username=mark,password=removed,noauto,user,ro 0 0
> 
>    What's a good way to accomplish without messing with system security?

There really isn't.  Mounting non-removable media as non-root users
really isn't supported for any filesystem type because of security
issues and because there's no direct mapping of Unix security to Windows
security models.

If you must, here's the rules:  If you set the "suid" bit, the program
runs as the OWNER of the file.  So, first make sure the program is owned
by root.  Then you can set the "suid" bit by (as root):

	# chmod u+s /usr/bin/smbmnt

When you "ls -l /usr/sbin/smbmnt", if you see an "s" for the user part,
then it took.  An "S" (capital S) means the suid root bit stuck, but
the program didn't originally have the execute bit set:

	s = suid AND execute set
	S = suid and execute NOT set

If you wish to remove the suid bit, use "chmod u-s /usr/bin/smbmnt".
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-      On a scale of 1 to 10 I'd say...  oh, somewhere in there.     -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list