Re: Ubuntu SecurityFlags at boot

Re: Ubuntu SecurityFlags at boot

[Lott, Christopher M]

I hope it's not too late to reply to this thread from August 2012, and 
that someone can please find time to explain to me how to set security 
flags for CIFS.

In a nutshell I'm trying to connect a freshly installed ubuntu 12.04 
desktop as a client to get files from an old samba server that demands 
passwords as plaintext.  No printing, nothing fancy, just file service.

Is there still a feature in Ubuntu 12.04 to allow this, possibly by 
manipulating these security flags?

I'm basically doing just this:

sudo mount -t cifs //myoldtiredserver/lott /mnt

And watching /var/log/kern.log I see this:

Oct  1 18:14:57 cltp kernel: [ 3397.554888] CIFS VFS: Server requests 
plain text password but client support disabled
Oct  1 18:14:57 cltp kernel: [ 3397.616357] CIFS VFS: cifs_mount failed 
w/return code = -13

All attempts to echo a value to a magic file in /proc/fs/cifs such as 
the one shown below are met with permission denied, even with sudo:

$ sudo echo 0x30030 > /proc/fs/cifs/SecurityFlags
bash: /proc/fs/cifs/SecurityFlags: Permission denied

Please let me know if I'm not asking sensible questions.  :/  Thanks in 
advance for any help!


 > It would be possible to build cifs.ko to enable plain text passwords
 > permanently, but may be simpler to just set this in one of the init
 > scripts.  Generally we want to discourage anyone from using
 > authentication types other than ntlmv2 and kerberos for obvious
 > security reasons.
 >
 > On Sun, Aug 5, 2012 at 6:31 AM,  <blueduck@...> wrote:
 > > Hi,
 > >
 > > Looking at fs/cifs/README, I managed to mount shares with plaintext 
 > passwords (using Kubuntu 12.04)
 > with "echo 0x30030 > /proc/fs/cifs/SecurityFlags". But it as to be 
done after each boot.
 > >
 > > Is there any configuration file to modify to make the change permanent?

Re: Ubuntu SecurityFlags at boot

[Jeff Layton]

On Mon, 01 Oct 2012 18:23:39 -0400
"Lott, Christopher M" <clott-as7a0GIpyE2tG0bUXCXiUA@public.gmane.org> wrote:

> I hope it's not too late to reply to this thread from August 2012, and 
> that someone can please find time to explain to me how to set security 
> flags for CIFS.
> 
> In a nutshell I'm trying to connect a freshly installed ubuntu 12.04 
> desktop as a client to get files from an old samba server that demands 
> passwords as plaintext.  No printing, nothing fancy, just file service.
> 
> Is there still a feature in Ubuntu 12.04 to allow this, possibly by 
> manipulating these security flags?
> 
> I'm basically doing just this:
> 
> sudo mount -t cifs //myoldtiredserver/lott /mnt
> 
> And watching /var/log/kern.log I see this:
> 
> Oct  1 18:14:57 cltp kernel: [ 3397.554888] CIFS VFS: Server requests 
> plain text password but client support disabled
> Oct  1 18:14:57 cltp kernel: [ 3397.616357] CIFS VFS: cifs_mount failed 
> w/return code = -13
> 
> All attempts to echo a value to a magic file in /proc/fs/cifs such as 
> the one shown below are met with permission denied, even with sudo:
> 
> $ sudo echo 0x30030 > /proc/fs/cifs/SecurityFlags
> bash: /proc/fs/cifs/SecurityFlags: Permission denied
> 
> Please let me know if I'm not asking sensible questions.  :/  Thanks in 
> advance for any help!
> 
> 

The sudo in the above command just covers the echo command. The shell
redirection (and hence the write to SecurityFlags) is done as the
original user, which is why you're getting EACCES. You probably want
to do something like this to ensure that the shell redirection is done
as root as well:

    $ sudo sh -c "echo 0x30030 > /proc/fs/cifs/SecurityFlags"

-- 
Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

Re: Ubuntu SecurityFlags at boot

[Lott, Christopher M]

Thank you so much for explaining what should have been utterly obvious. 
  It worked perfectly when I did this:

% sudo -i
# echo 0x30030 > /proc/fs/cifs/SecurityFlags
# mount -t cifs //myoldtiredserver/lott /mnt

I'm still getting used to using echo for communicating with a kernel 
module but that's just gonna take time :)

On 10/01/2012 09:48 PM, Jeff Layton wrote:
> The sudo in the above command just covers the echo command. The shell
> redirection (and hence the write to SecurityFlags) is done as the
> original user, which is why you're getting EACCES. You probably want
> to do something like this to ensure that the shell redirection is done
> as root as well:
>
>      $ sudo sh -c "echo 0x30030 > /proc/fs/cifs/SecurityFlags"
>

Re: Ubuntu SecurityFlags at boot

[Jeff Layton]

On Tue, 02 Oct 2012 01:24:57 -0400
"Lott, Christopher M" <clott-as7a0GIpyE2tG0bUXCXiUA@public.gmane.org> wrote:

> Thank you so much for explaining what should have been utterly obvious. 
>   It worked perfectly when I did this:
> 
> % sudo -i
> # echo 0x30030 > /proc/fs/cifs/SecurityFlags
> # mount -t cifs //myoldtiredserver/lott /mnt
> 
> I'm still getting used to using echo for communicating with a kernel 
> module but that's just gonna take time :)
> 
> On 10/01/2012 09:48 PM, Jeff Layton wrote:
> > The sudo in the above command just covers the echo command. The shell
> > redirection (and hence the write to SecurityFlags) is done as the
> > original user, which is why you're getting EACCES. You probably want
> > to do something like this to ensure that the shell redirection is done
> > as root as well:
> >
> >      $ sudo sh -c "echo 0x30030 > /proc/fs/cifs/SecurityFlags"
> >
> 

No problem, shell redirection is tricky and not always obvious...

If someone asked me to invent the most unintuitive, obfuscated
interface possible for setting up cifs.ko authentication, I'd be
hard-pressed to improve on SecurityFlags. Personally, I'd like to see
that go the way of the dodo.

We ought to have a sane, fixed heuristic that decides what
authentication to use based on the NEGOTIATE_PROTOCOL exchange with the
server. Then, we could just allow people to override that by setting a
sec= mount option.

-- 
Jeff Layton <jlayton-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>

Ubuntu SecurityFlags at boot

[blueduck-GANU6spQydw]

Hi,

Looking at fs/cifs/README, I managed to mount shares with plaintext passwords (using Kubuntu 12.04) with "echo 0x30030 > /proc/fs/cifs/SecurityFlags". But it as to be done after each boot.

Is there any configuration file to modify to make the change permanent?

Regards.

Re: Ubuntu SecurityFlags at boot

[Steve French]

It would be possible to build cifs.ko to enable plain text passwords
permanently, but may be simpler to just set this in one of the init
scripts.  Generally we want to discourage anyone from using
authentication types other than ntlmv2 and kerberos for obvious
security reasons.

On Sun, Aug 5, 2012 at 6:31 AM,  <blueduck-GANU6spQydw@public.gmane.org> wrote:
> Hi,
>
> Looking at fs/cifs/README, I managed to mount shares with plaintext passwords (using Kubuntu 12.04) with "echo 0x30030 > /proc/fs/cifs/SecurityFlags". But it as to be done after each boot.
>
> Is there any configuration file to modify to make the change permanent?
>
> Regards.
> --
> To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
> the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html



-- 
Thanks,

Steve