134884 – "cifs auto" entry in fstab displays the credentials while booting

Bug 134884 - "cifs auto" entry in fstab displays the credentials while booting

Summary: "cifs auto" entry in fstab displays the credentials while booting

Status:	RESOLVED FIXED

Alias:	None

Product:	SUSE LINUX 10.0
Classification:	openSUSE
Component:	Security (show other bugs)
Version:	Final
Hardware:	i686 Other

Priority:	P5 - None Severity: Critical
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	E-mail List

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2005-11-22 11:33 UTC by Frank-Michael Fischer
Modified:	2006-02-15 16:01 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Beta-Customer
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
open samba credentials in boot.msg (24.49 KB, text/plain) 2005-11-22 11:35 UTC, Frank-Michael Fischer	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Frank-Michael Fischer 2005-11-22 11:33:44 UTC

When having a line like this in your fstab:

/tv/capture         /mnt/tv              cifs      \ auto,credentials=/root/tv,uid=mifi,gid=users,workgroup=cp

SUSE Linux tries to mount this share BEFORE the network is up. So /var/log/boot.msg (and therefore the startup display) containes the lines:

mount.cifs kernel mount options unc=//tv\capture,ip=192.168.178.27,user= mifi,pass= xcvbnmsdf,ver=1,rw,credentials=/root/tv,uid=501,gid=100,workgroup=cp 
mount error 101 = Network is unreachable
Refer to the mount.cifs(8) manual page (e.g.man mount.cifs)

So anyone watching the startup screen can see the credentials. This security hole does not depend on the failure of the cifs mount. Strangely enough the mount succedes automatically later on when the network is up.

SUSE 9.3 shows the same problem.

There is no need whatsoever to display samba share credentials during bootup.

Comment 1 Frank-Michael Fischer 2005-11-22 11:35:05 UTC

Created attachment 58080 [details]
open samba credentials in boot.msg

Comment 2 Marcus Meissner 2006-02-15 14:30:47 UTC

hmm, we forgot this bug sorry.

lars, any idea?

Comment 3 Lars Müller 2006-02-15 15:44:48 UTC

Adding 'nocifs' to /etc/init.d/boot.localfs to exclude cifs mounts like smbfs as we have it in factory should be enough.

Comment 4 Lars Müller 2006-02-15 15:52:20 UTC

Frank-Michale: Thanks a lot for the report!  We already fixed it in our current developed tree (named factory) as mentioned in comment #3.

You can add the required fix by adding 'nocifs' to the mount -a calls in /etc/init.d/boot.localfs.

Comment 5 Lars Müller 2006-02-15 16:01:07 UTC

This is a duplicate of bug #134352