Bug 134884

Summary: "cifs auto" entry in fstab displays the credentials while booting
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Frank-Michael Fischer <fmfischer>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Critical    
Priority: P5 - None CC: lmuelle, security-team
Version: Final   
Target Milestone: ---   
Hardware: i686   
OS: Other   
Whiteboard:
Found By: Beta-Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: open samba credentials in boot.msg

Description Frank-Michael Fischer 2005-11-22 11:33:44 UTC 
When having a line like this in your fstab:

/tv/capture         /mnt/tv              cifs      \ auto,credentials=/root/tv,uid=mifi,gid=users,workgroup=cp

SUSE Linux tries to mount this share BEFORE the network is up. So /var/log/boot.msg (and therefore the startup display) containes the lines:

mount.cifs kernel mount options unc=//tv\capture,ip=192.168.178.27,user= mifi,pass= xcvbnmsdf,ver=1,rw,credentials=/root/tv,uid=501,gid=100,workgroup=cp 
mount error 101 = Network is unreachable
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)

So anyone watching the startup screen can see the credentials. This security hole does not depend on the failure of the cifs mount. Strangely enough the mount succedes automatically later on when the network is up.

SUSE 9.3 shows the same problem.

There is no need whatsoever to display samba share credentials during bootup.
Comment 1 Frank-Michael Fischer 2005-11-22 11:35:05 UTC 
Created attachment 58080 [details]
open samba credentials in boot.msg
Comment 2 Marcus Meissner 2006-02-15 14:30:47 UTC 
hmm, we forgot this bug sorry.

lars, any idea?
Comment 3 Lars Müller 2006-02-15 15:44:48 UTC 
Adding 'nocifs' to /etc/init.d/boot.localfs to exclude cifs mounts like smbfs as we have it in factory should be enough.
Comment 4 Lars Müller 2006-02-15 15:52:20 UTC 
Frank-Michale: Thanks a lot for the report!  We already fixed it in our current developed tree (named factory) as mentioned in comment #3.

You can add the required fix by adding 'nocifs' to the mount -a calls in /etc/init.d/boot.localfs.
Comment 5 Lars Müller 2006-02-15 16:01:07 UTC 
This is a duplicate of bug #134352