[ALUG] How to mount a CIFS file system as a user?

Brett Parker iDunno at sommitrealweird.co.uk
Thu Oct 18 12:49:29 BST 2007


On Thu, Oct 18, 2007 at 11:33:08AM +0100, Chris G wrote:
> On Thu, Oct 18, 2007 at 10:53:57AM +0100, Wayne Stallwood wrote:
> > On Thu, 2007-10-18 at 08:43 +0100, Chris G wrote:
> > > It does say (in some of the places where it suggests it) that one must
> > > have an environment where users are trusted.  Since my environment is
> > > just me all I need to protect against is my stupidity/fallibility.
> > > 
> > I figured that, I just thought it was worth mentioning why this may not
> > be best practise in case somebody else follows this advice. 
> > 
> > > In addition the /etc/shadow file shouldn't be readable to anyone
> > > except root and so won't get copied if you copy /etc, I expect there
> > > may be other files in /etc that aren't world readable for the same
> > > reason. 
> > 
> > That doesn't really matter though does it ? There is nothing as far as I
> > know stopping you from rewriting the passwd file legacy style with
> > password hashes for known passwords. In fact I think it is probably
> > possible to have a mix of these and passwd entries that reference the
> > shadow file. As to the other read only stuff, there is probably nothing
> > that would prevent the system working well enough for someone to login.
> > 
> In that case what is the point of the shadow file?  I suppose it stops
> simple 'brute force' methods of guessing passwords but, if what you
> say is true, that would seem to be all.

It stops users from being able to use cracking utilities over the
passwords in the passwd file, IIRC you can't actually mix shadow with a
passwd file containing passwords.

It can be set with very minimum permissions because the only thing that
should be able to read it is pam or a root user.

(But, yes, if there isn't a shadow file, and the password file includes
passwords, that's all that's needed).

> > Even if the login mechanism forced you to use shadow passwords it would
> > only mean that as soon as you do the mount your version all other logins
> > would fail. In a situation where the sysadmin doesn't have immediate
> > physical access to the box in question this may actually be an advantage
> > to an intruder in some scenarios.
> > 
> But in this case the intruder wouldn't be root would they, and they
> wouldn't be able to become root.

They'd mount /etc from CIFS with a blank or known root password in the
/etc/password file, then they could become root, swivel things about a
bit, and do anything they please.

Anyways... I'm hungry so off to get lunch :)
-- 
Brett Parker




More information about the main mailing list