/etb/mtab shows cifs mount options usernames and password

Bug #380272 reported by Terrrorr
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Invalid
Wishlist
Unassigned
util-linux (Debian)
Fix Released
Unknown
util-linux (Ubuntu)
Won't Fix
Low
Unassigned

Bug Description

Binary package hint: mount

When mounting CIFS share you can read all mount options from /etc/mtab. This is major security risk if you are using shared network resources. Here is example of mine cifs mount information:

//192.168.1.10/Te****t /home/<username>/Mount/Te****t cifs rw,username=<username>,password=<password>,iocharset=utf8,file_mode=0777,dir_mode=0777,uid=1000 0 0

I found this on Ubuntu 8.10 server and 9.10 desktop edition.

Could this one fix it :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=298725

- Terrrorr

Revision history for this message
Terrrorr (terrrorr-gmail) wrote :

Binary package hint: mount

When mounting CIFS share you can read all mount options from /etc/mtab. This is major security risk if you are using shared network resources. Here is example of mine cifs mount information:

//192.168.1.10/Te****t /home/<username>/Mount/Te****t cifs rw,username=<username>,password=<password>,iocharset=utf8,file_mode=0777,dir_mode=0777,uid=1000 0 0

I found this on Ubuntu 8.10 server and 9.10 desktop edition.

Could this one fix it :
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=298725

- Terrrorr

visibility: private → public
affects: util-linux (Ubuntu) → samba (Ubuntu)
Changed in samba (Ubuntu):
status: New → Confirmed
Changed in samba (Debian):
status: Unknown → New
Chuck Short (zulcss)
Changed in samba (Ubuntu):
importance: Undecided → Wishlist
Revision history for this message
Thierry Carrez (ttx) wrote :

Note that this is only if /sbin/mount.cifs isn't present (smbfs not installed).

For root CIFS mounts, mount.cifs helper is called when present, otherwise only "mount" and kernel magic is used to mount the filesystem... and they don't know about sensitive options to scrub.

Revision history for this message
Thierry Carrez (ttx) wrote :

Not a bug in smbfs or samba, since they aren't even installed... and when they are installed everything behaves correctly. Moving to util-linux, but I'm not really sure it would be considered a bug there...

Thierry Carrez (ttx)
Changed in samba (Ubuntu):
status: Confirmed → Invalid
affects: samba (Debian) → util-linux (Debian)
Changed in util-linux (Ubuntu):
status: New → Confirmed
Changed in util-linux (Ubuntu):
importance: Undecided → Low
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Marking Ubuntu task as "Won't Fix". We won't diverge from Debian on this and if they fix it we will get it in our development release.

Changed in util-linux (Ubuntu):
status: Confirmed → Won't Fix
Changed in util-linux (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.