From: Jeremy Allison <jra@samba.org>
To: simo <idra@samba.org>
Cc: Jon Severinsson <jon@severinsson.net>,
linux-fsdevel@vger.kernel.org, linux-cifs-client@lists.samba.org,
linux-kernel@vger.kernel.org
Subject: Re: [linux-cifs-client] [RFC PATCH] CIFS posix acl permission checking
Date: Thu, 4 Mar 2010 09:33:45 -0800 [thread overview]
Message-ID: <20100304173345.GE18904@samba1> (raw)
In-Reply-To: <1267717913.2375.298.camel@localhost>
On Thu, Mar 04, 2010 at 10:51:53AM -0500, simo wrote:
>
> Letting a different user access the mount point *is* a security
> violation in itself. The CIFS security model lies in per user sessions.
> The right way to fix the problem is multi-session mounts. Allowing a
> different user to use a user session is a violation of the security
> model of CIFS.
Multi-session mounts are the only sane fix. This is what Windows
does in their redirectory (when a process with different credentials
traverses into a mount point a new sessionsetup is done to get remote
credentials).
Jeremy.
WARNING: multiple messages have this Message-ID (diff)
From: Jeremy Allison <jra@samba.org>
To: simo <idra@samba.org>
Cc: linux-fsdevel@vger.kernel.org, linux-cifs-client@lists.samba.org,
linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH] CIFS posix acl permission checking
Date: Thu, 4 Mar 2010 09:33:45 -0800 [thread overview]
Message-ID: <20100304173345.GE18904@samba1> (raw)
In-Reply-To: <1267717913.2375.298.camel@localhost>
On Thu, Mar 04, 2010 at 10:51:53AM -0500, simo wrote:
>
> Letting a different user access the mount point *is* a security
> violation in itself. The CIFS security model lies in per user sessions.
> The right way to fix the problem is multi-session mounts. Allowing a
> different user to use a user session is a violation of the security
> model of CIFS.
Multi-session mounts are the only sane fix. This is what Windows
does in their redirectory (when a process with different credentials
traverses into a mount point a new sessionsetup is done to get remote
credentials).
Jeremy.
next prev parent reply other threads:[~2010-03-04 17:42 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-04 10:50 [RFC PATCH] CIFS posix acl permission checking Jon Severinsson
2010-03-04 10:50 ` Jon Severinsson
2010-03-04 13:44 ` [linux-cifs-client] " simo
2010-03-04 13:44 ` simo
2010-03-04 15:21 ` Jon Severinsson
2010-03-04 15:51 ` [linux-cifs-client] " simo
2010-03-04 15:51 ` simo
2010-03-04 17:33 ` Jeremy Allison [this message]
2010-03-04 17:33 ` Jeremy Allison
2010-03-04 16:18 ` [linux-cifs-client] " Jeff Layton
2010-03-04 16:18 ` Jeff Layton
2010-03-05 9:47 ` [linux-cifs-client] " Michael Adam
2010-03-05 9:47 ` Michael Adam
2010-03-11 22:45 ` [linux-cifs-client] " Michael Adam
2010-03-11 22:45 ` Michael Adam
2010-03-12 1:24 ` [linux-cifs-client] " Jeff Layton
2010-03-12 1:24 ` Jeff Layton
2010-03-12 1:53 ` [linux-cifs-client] " Jeremy Allison
2010-03-12 1:53 ` Jeremy Allison
2010-03-12 8:09 ` [linux-cifs-client] " Michael Adam
2010-03-12 8:09 ` Michael Adam
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100304173345.GE18904@samba1 \
--to=jra@samba.org \
--cc=idra@samba.org \
--cc=jon@severinsson.net \
--cc=linux-cifs-client@lists.samba.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.