summaryrefslogtreecommitdiffstats
path: root/fs/cifs
diff options
context:
space:
mode:
authorJeff Layton <jlayton@redhat.com>2009-05-26 16:28:11 -0400
committerSteve French <sfrench@us.ibm.com>2009-05-26 21:10:55 +0000
commitf55ed1a83d099f275c9560ad7d4c4700d1e54bdd (patch)
tree863038ab400c725cd7be24ff8782a313ed6a20a0 /fs/cifs
parent46a7574caf5bc533c24b315800ed323c187614f5 (diff)
downloadlinux-f55ed1a83d099f275c9560ad7d4c4700d1e54bdd.tar.gz
linux-f55ed1a83d099f275c9560ad7d4c4700d1e54bdd.tar.bz2
linux-f55ed1a83d099f275c9560ad7d4c4700d1e54bdd.zip
cifs: tighten up default file_mode/dir_mode
The current default file mode is 02767 and dir mode is 0777. This is extremely "loose". Given that CIFS is a single-user protocol, these permissions allow anyone to use the mount -- in effect, giving anyone on the machine access to the credentials used to mount the share. Change this by making the default permissions restrict write access to the default owner of the mount. Give read and execute permissions to everyone else. These are the same permissions that VFAT mounts get by default so there is some precedent here. Note that this patch also removes the mandatory locking flags from the default file_mode. After having looked at how these flags are used by the kernel, I don't think that keeping them as the default offers any real benefit. That flag combination makes it so that the kernel enforces mandatory locking. Since the server is going to do that for us anyway, I don't think we want the client to enforce this by default on applications that just want advisory locks. Anyone that does want this behavior can always enable it by setting the file_mode appropriately. Signed-off-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Steve French <sfrench@us.ibm.com>
Diffstat (limited to 'fs/cifs')
-rw-r--r--fs/cifs/connect.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 4aa81a507b74..f32c9036741e 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -827,9 +827,9 @@ cifs_parse_mount_options(char *options, const char *devname,
vol->target_rfc1001_name[0] = 0;
vol->linux_uid = current_uid(); /* use current_euid() instead? */
vol->linux_gid = current_gid();
- vol->dir_mode = S_IRWXUGO;
- /* 2767 perms indicate mandatory locking support */
- vol->file_mode = (S_IRWXUGO | S_ISGID) & (~S_IXGRP);
+
+ /* default to only allowing write access to owner of the mount */
+ vol->dir_mode = vol->file_mode = S_IRUGO | S_IXUGO | S_IWUSR;
/* vol->retry default is 0 (i.e. "soft" limited retry not hard retry) */
vol->rw = true;