# Is there a way to mount with smbfs without being root?

## jkcunningham

I have to access a Windows server at work from a linux machine. I do this using an smbfs mount. The Windows server requires a network username/workgroup/password for access, but it is a public share. I can mount this using this line in my /etc/fstab:

//136.202.23.183/groups /home/groups smbfs credentials=/home/jcunningham/.smbfscred,uid=1002,gid=100,noatime 0 0 

but I can only mount this as su. Doing so gives other users on this machine read access to this mount, but not write access, except for jcunningham. 

I'd like to be able to either mount this as su so that all users can write to the mount, or enable them to mount it themselves without being root. 

I've tried playing with the privilege bits on the mountpoint but it makes not difference. 

Any ideas? Or am I going about this the wrong way?

Thanks.

-Jeff

----------

## adaptr

No, the permissions on the mount point are irrelevant.

You can add the option "user" to the fstab entry, but this will allow any user to mount/unmount the share.

To do it right you have to setup sudo for mount.

man sudo / visudo / sudoers for more info.

In short, this will allow you to execute privileged commands with your own password or without any password.

You could put this in sudoers:

```
jcunningham localhost= /bin/mount
```

You can add the NOPASSWD option to skip authenticating.

Go to the sudo home page for full enlightenment  :Wink: 

Other users being able to read the share is a permission issue: set the right umask on the mounted share and only you (the owner of the files) can access them.

Rephrased:

Give "username=jcunningham, passwd=xxxx" as options to fstab, and add "umask = 077", this way only YOU can access the mount.

This is nothing to do with permissions on the Windows share; they are all separate and applied one after the other (IOW if you had acces to hte share but none of the files were accessible to you it still wouldn't work. You don't notice this in Windows because all access is integrated - the "single sign-on" principle used by M$).

----------

## jkcunningham

Thanks for the reply. I tried several of your suggestions, but haven't solved it yet. Specifically, I tried this /etc/fstab line:

//136.202.83.183/groups /home/groups smbfs credentials=/home/jcunningham/.smbfscred,user,uid=1003\,gid=100 0 0

And this /etc/sudoers line:

%users localhost=/bin/mount

There is some progress in that jcunningham can now mount the drive without being root (but requiring a password), but other users cannot write to that mount, although they can read it.  Other users need to be able to write to /home/groups regardless of who mounts it. 

Thanks

-Jeff

----------

## Hypnos

Try the "umask" mount option, which is an octal mask to the permissions bits.

----------

## jkcunningham

I tried adding the umask=0777 and also umask=077, but it still is read-only so far as anyone else is concerned. I also tried taking out the uid= and gid= but it made no difference. 

-Jeff

----------

## Hypnos

 *jkcunningham wrote:*   

> I tried adding the umask=0777 and also umask=077, but it still is read-only so far as anyone else is concerned. I also tried taking out the uid= and gid= but it made no difference. 

 

If I'm on the right track, your logic is wrong --  check out "man 2 umask".  Try "umask=0" ... *shrug*

----------

## fleed

I think adaptr misunderstood part of your problem. What he told you was to make the mount MORE restrictive (077) rather than less (000). Try using umask=0 (or 000) as Hypnos suggested.

----------

## jkcunningham

Okay, I just tried umask=0, but get the same result: root has to mount the drive, the users whose NTFS credentials appear in the mount line has rwx privileges, but everyone else only has r_x. 

Also, the user with the credentials canNOT mount it: it says: "mount: only root can mount //136.202.83.183/groups on /home/groups". Here is the way I have /home/groups set up (when it isn't mounted):

drwxrwxr-x    2 root     users        4096 Dec  9 09:20 groups

Any more ideas?

-Jeff

----------

## DopeGhoti

If you added the user to the sudoers file as  adaptr suggested, the user still needs to run

```
sudo mount /mnt/mountpoint
```

to mount it (if it's in the fstab), or the entire mount command if it isn't.

----------

## fleed

Actually, I think it should have been fmask=0,dmask=0 (file and directory mask respectively). Try that instead of umask.

----------

## massimo

```

chmod +s /usr/sbin/smbmnt

```

----------

## fleed

I think doing that would only work if you were calling smbmnt directly, which you can sort of do anyway through smbmount.

----------

## massimo

 *fleed wrote:*   

> I think doing that would only work if you were calling smbmnt directly, which you can sort of do anyway through smbmount.

 

If you try to mount via fstab a smbfs fs, it will call smbmnt.

----------

## jkcunningham

Okay, I'm making progress here. Yes, I forgot about needing to use sudo. So, now any (sudo enabled) user can mount the drive, but the only one that can write to it is the one whose smbfs credentials were used to authenticate. In otherwords, if it is mounted with an /etc/fstab line like this:

//136.202.83.183/groups /home/groups smbfs credentials=/home/jcunningham/.smbfscred,user,fmask=0,dmask=0,uid=1003,gid=100  0 0

then samella cannot write to /home/groups. But if it is mounted instead with a line like this:

//136.202.83.183/groups /home/groups smbfs credentials=/home/samella/.smbfscred,user,fmask=0,dmask=0,uid=1007,gid=100  0 0

then jcunningham cannot write to /home/groups. I also tried umask=0, but it makes no difference.  What I need is for anyone to be able to mount the drive, and once mounted, anyone to be able to write to it. 

[edit] I just tried the chmod +s /usr/sbin/smbmnt idea, but it didn't change anything. (jkc)

Thanks.

-Jeff

----------

## massimo

Maybe I'm missing something, but shouldn't your fstab contain users instead of user? Try it with fmask=777 and dmask=777.

----------

## jkcunningham

Good one, massimo. 'users' didn't get it, but 'users' with fmask=0777,dmask=0777 works perfectly. 

but I don't understand it. There is no man page on either fmask or dmask, but the man page on umask specifically says that the bits in the mask turn OFF the associated permissions. Wouldn't one expect the fmask and dmask bits to work similarly?

My thanks to you all. This has been plaguing me for sometime. 

-Jeff

----------

## massimo

for fmask, dmask:

```

man smbmount

```

----------

## jkcunningham

I just read everything in man smbmount and, while it says:

       fmask=<arg>

              sets the file mask. This determines the permissions that  remote

              files have in the local filesystem.  The default is based on the

              current umask.

       dmask=<arg>

              sets the directory mask. This determines  the  permissions  that

              remote directories have in the local filesystem.  The default is

              based on the current umask.

it has nothing that I can see to explain how the bits act. When I look at man umask, it says:

       umask sets the umask to mask & 0777.

       The  umask  is  used  by  open(2)  to set initial file permissions on a

       newly-created file.  Specifically, permissions in the umask are  turned

       off  from  the  mode  argument  to open(2) (so, for example, the common

       umask default value of 022 results in new files being created with per-

       missions  0666  &  ~022  = 0644 = rw-r--r-- in the usual case where the

       mode is specified as 0666).

which seems to say that using the bits to wipe out privileges. Since the defaults for both dmask and fmask are taken from the current umask, I assume they work the same. 

Puzzling...

-Jeff

----------

## massimo

Just play with the fmask and dmask values and you will see how they work  :Wink: 

----------

## fleed

And you can probably drop sudo if you're using users in fstab.

----------

## massimo

 *fleed wrote:*   

> And you can probably drop sudo if you're using users in fstab.

 

I guess this won't work unless you do 'chmod +s smbmnt'.

----------

## fleed

I wonder which one would be less of a security risk, sudo or +s on smbmnt. Anyone has a clue?

----------

## massimo

Since "setuid" is mentioned in the man page of smbmnt it should be save using it.

----------

## jkcunningham

FYI: I haven't been able to dispense with sudo, though I tried setting chmod +s on smbmnt. 

-Jeff

----------

## massimo

I think that's the reason why...

```

[massimo] man smbmnt

[...]

A setuid smbmnt will only allow mounts on directories owned by the user, and that the user has write permission on.

[...]

```

I think the way with sudo is the only way to handle this unless you hack smbmnt.c, but that's another story...

I once read you could trick the system by doing the following:

//136.202.83.183/groups /home/groups smbfs [cut] jcunningham

BUT the other line

//remote_host_name/groups /home/groups smbfs [cut] samella

Since I've never tried it I cannot comment on this one but you should give it a try if you want to do it with setuid.

----------

