On Sat, May 28, 2005 at 11:45:23PM +0200, Bill Allombert wrote: > On Sat, May 28, 2005 at 02:07:04PM -0700, Steve Langasek wrote: > > On Sat, May 28, 2005 at 06:39:28PM +0200, Bill Allombert wrote: > > > On Fri, May 27, 2005 at 12:20:49PM -0700, Steve Langasek wrote: > > > > On Sat, May 28, 2005 at 05:17:39AM +1000, Andrew Bartlett wrote: > > > > Yeah, on second look I see that it can be done in smbmount, and this would > > > > be a far more expedient fix. > > > You mean something like the patch below ? > > > (Not tested yet, want to be sure this is the idea) > > I would've uploaded such a fix already, but upstream objects to this because > > doing this in userspace instead of in the kernel means losing the other > > features of CAP_UNIX -- which are, uh, symlinks and pipes, basically. I'm > > not really convinced that symlinks and pipes are important enough for people > > who are using existing mounts with uid or gid smashing to warrant shipping > I am obviously biased since I spend a whole night trying to track down this > problem, but I think that people interested in CAP_UNIX will have moved > to kernel 2.6 and cifs. At that point it seems unlikely that kernel 2.4 > will be ever fixed, in Debian or in mainline. > It is a very nasty security problem: The server can change the security > model of the client by enabling unix capability ! This can be used to > compromise the client if the server is compromised. Yes, I certainly agree that it's bad, and I'm really leaning towards the position that the security implications for users upgrading from woody outweigh upstream's desire for the other features to Just Work. Even *those* are a behavior change, and arguably not an automatic win for all users. > One option would be to check if the host run a 2.4 kernel or a 2.6 kernel > and only apply the correction for 2.4 kernel. (It is my understanding > that 2.6 kernels do not have this problem, though I did not try); Well, most people using 2.6 kernels are likely to be using cifs instead of smbfs anyway (due to smbfs's general bitrot in 2.6 last I looked at it), so I'm not sure that addresses upstream's objections. -- Steve Langasek postmodern programmer
Attachment:
signature.asc
Description: Digital signature