Re: [PATCH] Add a --mode option to chmod the mount point of the maps

[Ian Kent <raven@themaw.net>]

On Mon, 2015-09-14 at 12:12 +0200, Cyril B. wrote:
> Ian Kent wrote:
> > So are you saying you don't have sufficient faith in the permissions set
> > on the file systems your mounting, that contain the information you want
> > to protect, that you must have the permissions of an intermediate file
> > system set to ensure that information about that vulnerability is not
> > seen?
> 
> I do know that there's no vulnerability at all, and that you can 
> trivially list users by other means.
> 
> Unfortunately, some of my less tech savvy users believe that there's a 
> vulnerability because they can see other accounts' home directories, and 
> thus feel that their own files are not safe. Is this stupid? absolutely. 
> But changing my /home permissions to 751 makes those users happy and 
> saves my time -- and my reputation as a sysadmin :)
> 
> I also do realize that the 755 permissions come from the autofs kernel 
> filesystem itself. But the kernel doesn't support a 'mode' option for 
> autofs (some other file systems do), and even if it did, autofs would 
> have to be patched to support it (in a slightly different way than my 
> current patch).
> 
> I understand that my use case may be a corner case, and I'm perfectly 
> fine with keeping my patch in my own tree. I figured that since I had 
> written the patch for myself anway, I may as well post it here as it 
> could be useful for others :)

And I didn't say I wouldn't accept the change but I will need you to do
the work to include all the things that the patch needs.

I'm not sure if it would be better to add mode as an autofs file system
option to the kernel and yes, the daemon would still need changes. It
might end up more complicated that way.

Ian

--
To unsubscribe from this list: send the line "unsubscribe autofs" in