From: Sachin Prabhu <sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Scott Lovenberg
<scott.lovenberg-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>,
L A Walsh <law-gT3AUAsYRbTYtjvyW6yDsg@public.gmane.org>
Cc: linux-cifs <linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Re: SMB2: Enforce sec= mount option
Date: Mon, 16 Jan 2017 11:19:03 +0530 [thread overview]
Message-ID: <1484545743.2471.9.camel@redhat.com> (raw)
In-Reply-To: <CAFB9KM3S+p3sU26LKGwqaZ_3g4gkPPzEFzohwAFOa-PZPqZTAQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Wed, 2017-01-11 at 15:02 -0600, Scott Lovenberg wrote:
> On Tue, Jan 10, 2017 at 5:11 PM, L A Walsh <law-gT3AUAsYRbTYtjvyW6yDsg@public.gmane.org> wrote:
> > Sachin Prabhu wrote:
> > >
> > > If the security type specified using a mount option is not
> > > supported,
> > > the SMB2 session setup code changes the security type to
> > > RawNTLMSSP. We
> > > should instead fail the mount and return an error.
> > >
> >
> > ---
> > Saw the comment by Steve F, and it got me to thinking.
> > Please take this as a suggestion or idea... I'm not
> > heavily committed to a single solution, at this point, as
> > haven't really thought through all of the ramifications.
> >
> > Is it possible to add a 'prefix' or 'suffix', like an
> > "=" sign or a '+' -- to mean:
> >
> > '=' = exactly this 'sec' level
> > '+' = this 'sec'-level or greater
> > '<' = less than or equal to this sec-level
> > ---
> > Using the symbols is a similar idea to some fields in
> > 'find' where +/- are used to indicate greater or less than
> > the stated number.
> >
> > I'm not sure about the symbols, exactly, but I know in samba I
> > ask for smb2 for the protocol and more often than not, only
> > get smb1, but I'd rather have it work than fail.
> >
> > Since I'm on a closed net, I'd have to say the same for
> > security options, but I'd like to have a choice to force it
> > if I wanted to...
> >
> > Anyway -- just an idea that might offer more flexibility than just
> > 'fail'...
> >
>
> It'd take a tiny bit of messing with the command line parser, but I'd
> be for that. As a gesture of good faith, since I raised the issue,
> I'd be willing to submit the patch set for mount.cifs to support this
> if everyone is on board. I'd suggest staying away from '<' and '>'
> as
> they're shell redirects though. This would be a reasonable shorthand
> for a comma separated list (which also might take a bit of messing
> with the parser since we split on ',') - it could reasonably loop in
> the userland mount helper, mount.cifs, in much the same way Steve
> suggested that it should be handled in userland.
>
I think the userland would be a good option to handle this as I suspect
it may be much easier to recover from mount failures and to attempt a
remount from userland.
next prev parent reply other threads:[~2017-01-16 5:49 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-08 6:46 [PATCH] SMB2: Enforce sec= mount option Sachin Prabhu
[not found] ` <CAH2r5msW1Z1j3J+c3RF7NAH9ChKxy2GajKNp7AUxF4sfeZPXUA@mail.gmail.com>
[not found] ` <CAH2r5msW1Z1j3J+c3RF7NAH9ChKxy2GajKNp7AUxF4sfeZPXUA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-01-10 20:23 ` Fwd: " Steve French
[not found] ` <1481179577-15995-1-git-send-email-sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-12-08 8:06 ` Scott Lovenberg
[not found] ` <CAFB9KM0oPPm4bYyKd75Yjy-2kCZ=0UTpwn=ONCRo0g5waNa6AA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-12-08 9:03 ` Sachin Prabhu
[not found] ` <1481187800.4195.19.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-12-08 9:14 ` Scott Lovenberg
2017-01-11 11:45 ` Germano Percossi
[not found] ` <c0748fb1-4161-ea0f-3f6d-b0705bb83a9d-Sxgqhf6Nn4DQT0dZR+AlfA@public.gmane.org>
2017-01-11 12:17 ` Sachin Prabhu
[not found] ` <1484137071.29387.9.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-01-11 17:48 ` Scott Lovenberg
[not found] ` <CAH2r5mvU4_O_epw8tTPOHV3UVRyi9eNmE85cFPGVDGR8twQiZg@mail.gmail.com>
[not found] ` <CAH2r5mvU4_O_epw8tTPOHV3UVRyi9eNmE85cFPGVDGR8twQiZg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-01-11 17:59 ` Fwd: " Steve French
2017-01-10 23:11 ` L A Walsh
[not found] ` <58756A3D.6000705-gT3AUAsYRbTYtjvyW6yDsg@public.gmane.org>
2017-01-11 10:46 ` Aurélien Aptel
2017-01-11 21:02 ` Scott Lovenberg
[not found] ` <CAFB9KM3S+p3sU26LKGwqaZ_3g4gkPPzEFzohwAFOa-PZPqZTAQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-01-12 4:23 ` Steve French
2017-01-12 10:33 ` L A Walsh
2017-01-16 5:49 ` Sachin Prabhu [this message]
2017-01-10 23:30 ` L A Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1484545743.2471.9.camel@redhat.com \
--to=sprabhu-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=law-gT3AUAsYRbTYtjvyW6yDsg@public.gmane.org \
--cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=scott.lovenberg-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.