Re: fmount system call

Martin von Loewis (
Thu, 24 Jul 1997 08:52:46 +0200

> during the smbfs-rewrite I remembered the security problem in smbmount
> and ncpmount. Both programs are designed to let the user mount remote
> file systems of his own. This is necessary because the remote file
> systems are per-user password protected. To do this, they check
> whether the user has write permissions on the mount point and then
> mount the file. Playing with links between the check and the real
> mount creates quite well-known races.

Hmmm. AFAIK, this comes from smbmount and ncpmount being setuid-root,
which in turn comes from mount(2) requiring root privileges. Maybe
this restriction could be relaxed with some additional VFS protocol,
like adding a per-fs function verify_credentials. So the actual mount
would proceed, if
- the current uid is 0 or
- the fs driver in question supports the verify_credentials operation
and calling it returns true and the current user has write permissions
for the mount point.
If this is implemented, smbmount could loose its s-bit, or at least
drop the checks that lead to races.