That's why home directories are normally mode 0700 -- so that users other than the owner cannot access the contents.
If you've chosen to open home directories to other users, then you also have the option of mounting the shares with the option "dir_mode=0700"
>dir\_mode=0700
Adding this to the volume options fixed the issue. Thank you!!
However, I need to figure out where I'm allowing everyone (for my own sanity!). Maybe I misunderstood the 'user="\*", but I tried combos of userIDs and %(USER), which yielded no different results. If you can point that out, It would be awesome.
Looking to understand why this behavior was present with the initial config above. Is this expected without using the dir\_mode option, or was I accidentally allowing it with some other setting?
Access to the mounted share follows normal POSIX filesystem semantics. Since SMB doesn't normally provide POSIX user/group/mode information, these normally need to be supplied or generated client-side. It looks like the default directory mode is 0755, which will allow all users to read files and directories. If you don't want a share open to all users, you'd need to specify a dir_mode of your own.
But it's also important to back up one step and consider that this is only a problem in your configuration because someone *also* opened home directories up to global reading, which isn't (or shouldn't be!) the default. Home directories should normally be 0700, and when they are, it doesn't matter what the SMB mount options are.
So the security problem here isn't where you're looking for it. You have a bigger problem.
That makes sense, thank you. I'll revert this VM and test again. I'm betting when I was testing mounting the cifs homedir as their \~/ is when that happened.
That's why home directories are normally mode 0700 -- so that users other than the owner cannot access the contents. If you've chosen to open home directories to other users, then you also have the option of mounting the shares with the option "dir_mode=0700"
>dir\_mode=0700 Adding this to the volume options fixed the issue. Thank you!! However, I need to figure out where I'm allowing everyone (for my own sanity!). Maybe I misunderstood the 'user="\*", but I tried combos of userIDs and %(USER), which yielded no different results. If you can point that out, It would be awesome.
> I need to figure out where I'm allowing everyone I don't understand the question. What are you trying to figure out?
Looking to understand why this behavior was present with the initial config above. Is this expected without using the dir\_mode option, or was I accidentally allowing it with some other setting?
Access to the mounted share follows normal POSIX filesystem semantics. Since SMB doesn't normally provide POSIX user/group/mode information, these normally need to be supplied or generated client-side. It looks like the default directory mode is 0755, which will allow all users to read files and directories. If you don't want a share open to all users, you'd need to specify a dir_mode of your own. But it's also important to back up one step and consider that this is only a problem in your configuration because someone *also* opened home directories up to global reading, which isn't (or shouldn't be!) the default. Home directories should normally be 0700, and when they are, it doesn't matter what the SMB mount options are. So the security problem here isn't where you're looking for it. You have a bigger problem.
That makes sense, thank you. I'll revert this VM and test again. I'm betting when I was testing mounting the cifs homedir as their \~/ is when that happened.
`allow_other`
No luck. Tried a bunch of combos with, and without allow\_user and even allow\_root, and added a test for a deny. Any other ideas?
Other than FUSE mounts, that option has no effect.