Commit f55ed1a8 authored by Jeff Layton's avatar Jeff Layton Committed by Steve French

cifs: tighten up default file_mode/dir_mode

The current default file mode is 02767 and dir mode is 0777. This is
extremely "loose". Given that CIFS is a single-user protocol, these
permissions allow anyone to use the mount -- in effect, giving anyone on
the machine access to the credentials used to mount the share.

Change this by making the default permissions restrict write access to
the default owner of the mount. Give read and execute permissions to
everyone else. These are the same permissions that VFAT mounts get by
default so there is some precedent here.

Note that this patch also removes the mandatory locking flags from the
default file_mode. After having looked at how these flags are used by
the kernel, I don't think that keeping them as the default offers any
real benefit. That flag combination makes it so that the kernel enforces
mandatory locking.

Since the server is going to do that for us anyway, I don't think we
want the client to enforce this by default on applications that just
want advisory locks. Anyone that does want this behavior can always
enable it by setting the file_mode appropriately.
Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
parent 46a7574c
...@@ -827,9 +827,9 @@ cifs_parse_mount_options(char *options, const char *devname, ...@@ -827,9 +827,9 @@ cifs_parse_mount_options(char *options, const char *devname,
vol->target_rfc1001_name[0] = 0; vol->target_rfc1001_name[0] = 0;
vol->linux_uid = current_uid(); /* use current_euid() instead? */ vol->linux_uid = current_uid(); /* use current_euid() instead? */
vol->linux_gid = current_gid(); vol->linux_gid = current_gid();
vol->dir_mode = S_IRWXUGO;
/* 2767 perms indicate mandatory locking support */ /* default to only allowing write access to owner of the mount */
vol->file_mode = (S_IRWXUGO | S_ISGID) & (~S_IXGRP); vol->dir_mode = vol->file_mode = S_IRUGO | S_IXUGO | S_IWUSR;
/* vol->retry default is 0 (i.e. "soft" limited retry not hard retry) */ /* vol->retry default is 0 (i.e. "soft" limited retry not hard retry) */
vol->rw = true; vol->rw = true;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment