From patchwork Tue May 26 20:30:25 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jeff Layton X-Patchwork-Id: 26093 Received: from lists.samba.org (mail.samba.org [66.70.73.150]) by demeter.kernel.org (8.14.2/8.14.2) with ESMTP id n4QKVAoS020449 for ; Tue, 26 May 2009 20:31:11 GMT Received: from dp.samba.org (localhost [127.0.0.1]) by lists.samba.org (Postfix) with ESMTP id 23E50163C61 for ; Tue, 26 May 2009 20:30:40 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.1.7 (2006-10-05) on dp.samba.org X-Spam-Level: X-Spam-Status: No, score=-3.8 required=3.8 tests=AWL,BAYES_00, FORGED_RCVD_HELO,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.1.7 X-Original-To: linux-cifs-client@lists.samba.org Delivered-To: linux-cifs-client@lists.samba.org Received: from mx2.redhat.com (mx2.redhat.com [66.187.237.31]) by lists.samba.org (Postfix) with ESMTP id 9A501163BB6; Tue, 26 May 2009 20:30:01 +0000 (GMT) Received: from int-mx2.corp.redhat.com (int-mx2.corp.redhat.com [172.16.27.26]) by mx2.redhat.com (8.13.8/8.13.8) with ESMTP id n4QKUTlw022495; Tue, 26 May 2009 16:30:29 -0400 Received: from ns3.rdu.redhat.com (ns3.rdu.redhat.com [10.11.255.199]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n4QKUS5X003224; Tue, 26 May 2009 16:30:28 -0400 Received: from tlielax.poochiereds.net (vpn-13-208.rdu.redhat.com [10.11.13.208]) by ns3.rdu.redhat.com (8.13.8/8.13.8) with ESMTP id n4QKUR4t029421; Tue, 26 May 2009 16:30:27 -0400 Date: Tue, 26 May 2009 16:30:25 -0400 From: Jeff Layton To: Steve French Subject: Re: [linux-cifs-client] [PATCH 0/3] cifs: some random patches for 2.6.31 Message-ID: <20090526163025.53a7b658@tlielax.poochiereds.net> In-Reply-To: <524f69650905261028j54a7fc43mdbe63cfc01bbf8f0@mail.gmail.com> References: <1243205117-3351-1-git-send-email-jlayton@redhat.com> <1243213542.15536.172.camel@pico.li.ssimo.org> <20090525061432.411bdd6c@tlielax.poochiereds.net> <1243269762.15536.182.camel@pico.li.ssimo.org> <20090525132807.25dfc852@tlielax.poochiereds.net> <1243274200.15536.183.camel@pico.li.ssimo.org> <524f69650905251155n74084727l1941f59ffea63a3e@mail.gmail.com> <20090526063012.222064b8@tupile.poochiereds.net> <524f69650905260808h27f72e91i49102bf3e5a91bd6@mail.gmail.com> <20090526124205.6d3f8763@tlielax.poochiereds.net> <524f69650905261028j54a7fc43mdbe63cfc01bbf8f0@mail.gmail.com> Mime-Version: 1.0 X-Scanned-By: MIMEDefang 2.58 on 172.16.27.26 Cc: linux-cifs-client@lists.samba.org X-BeenThere: linux-cifs-client@lists.samba.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: The Linux CIFS VFS client List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-cifs-client-bounces+patchwork-cifs-client=patchwork.kernel.org@lists.samba.org Errors-To: linux-cifs-client-bounces+patchwork-cifs-client=patchwork.kernel.org@lists.samba.org On Tue, 26 May 2009 12:28:56 -0500 Steve French wrote: > On Tue, May 26, 2009 at 11:42 AM, Jeff Layton wrote: > > On Tue, 26 May 2009 10:08:27 -0500 > > default, but 0744 (or 0755 even) would be an improvement. VFAT seems to > > default to 0755, so maybe we should just go with that. > > No problem at all using the 0755 default, unless other users object it > seems better than current default Here's an updated patch that makes the default file_mode/dir_mode 0755. That just leaves patch 1 in this series up in the air. Does it look ok as-is? Thanks, >From fe9eecff60c81effc399d766f3b82021d98f101f Mon Sep 17 00:00:00 2001 From: Jeff Layton Date: Tue, 26 May 2009 16:28:11 -0400 Subject: [PATCH] cifs: tighten up default file_mode/dir_mode The current default file mode is 02767 and dir mode is 0777. This is extremely "loose". Given that CIFS is a single-user protocol, these permissions allow anyone to use the mount -- in effect, giving anyone on the machine access to the credentials used to mount the share. Change this by making the default permissions restrict write access to the default owner of the mount. Give read and execute permissions to everyone else. These are the same permissions that VFAT mounts get by default so there is some precedent here. Note that this patch also removes the mandatory locking flags from the default file_mode. After having looked at how these flags are used by the kernel, I don't think that keeping them as the default offers any real benefit. That flag combination makes it so that the kernel enforces mandatory locking. Since the server is going to do that for us anyway, I don't think we want the client to enforce this by default on applications that just want advisory locks. Anyone that does want this behavior can always enable it by setting the file_mode appropriately. Signed-off-by: Jeff Layton --- fs/cifs/connect.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 4f5a03c..0426dd0 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -827,9 +827,9 @@ cifs_parse_mount_options(char *options, const char *devname, vol->target_rfc1001_name[0] = 0; vol->linux_uid = current_uid(); /* use current_euid() instead? */ vol->linux_gid = current_gid(); - vol->dir_mode = S_IRWXUGO; - /* 2767 perms indicate mandatory locking support */ - vol->file_mode = (S_IRWXUGO | S_ISGID) & (~S_IXGRP); + + /* default to only allowing write access to owner of the mount */ + vol->dir_mode = vol->file_mode = S_IRUGO | S_IXUGO | S_IWUSR; /* vol->retry default is 0 (i.e. "soft" limited retry not hard retry) */ vol->rw = true; -- 1.6.0.6