From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jeremy Allison Subject: Re: [RFC PATCH] CIFS posix acl permission checking Date: Thu, 4 Mar 2010 09:33:45 -0800 Message-ID: <20100304173345.GE18904@samba1> References: <201003041150.08341.jon@severinsson.net> <1267710262.2375.280.camel@localhost> <201003041621.44577.jon@severinsson.net> <1267717913.2375.298.camel@localhost> Reply-To: Jeremy Allison Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Cc: linux-fsdevel@vger.kernel.org, linux-cifs-client@lists.samba.org, linux-kernel@vger.kernel.org To: simo Return-path: Content-Disposition: inline In-Reply-To: <1267717913.2375.298.camel@localhost> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-cifs-client-bounces@lists.samba.org Errors-To: linux-cifs-client-bounces@lists.samba.org List-Id: linux-fsdevel.vger.kernel.org On Thu, Mar 04, 2010 at 10:51:53AM -0500, simo wrote: > > Letting a different user access the mount point *is* a security > violation in itself. The CIFS security model lies in per user sessions. > The right way to fix the problem is multi-session mounts. Allowing a > different user to use a user session is a violation of the security > model of CIFS. Multi-session mounts are the only sane fix. This is what Windows does in their redirectory (when a process with different credentials traverses into a mount point a new sessionsetup is done to get remote credentials). Jeremy.