Introduction

The MountCifsFstab page demonstrates how to mount a windows share with minimal fuss, but if security is worth some extra fuss to you, then you’ll need to quit using that convenient NOPERM option. NOPERM is short for “no permission checks”.

Prerequisites:

  • You need to have a working non-secure mount working as described in MountCifsFstab plus all the prerequisites from that page.

  • You need to know enough about chmod, chown, and chgrp to be able to create a local folder that has permissions like you want your mountpoint to have.

UID and GID

If you try to use chmod or chown or chgrp on a mountpoint, you will find that the settings don’t persist when you mount the mountpoint. When you unmount it, the permissions will go back to what you set them to. The correct way to set permissions on a mountpoint is by using the UID and GID options in your mount command.

The UID option causes the mountpoint to have the owner of your choice.

First, you’ll need to figure out which user ID you want to “own” the mountpoint. Look in your /etc/passwd file. 

cat /etc/passwd

and find the username. It should be near the bottom. It should look something like this:

john:x:1000:1000:John Shipp,,,:/home/john:/bin/bash

In this case the UID is 1000

The GID option controls the group ownership and works the same way. You can lookup the group ID you want to use in the group file 

cat /etc/group

Once you have your UID and GID, you can manually mount like this: 

mount -o uid=1000,gid=1000,credentials=/root/creds.txt //win10/share1 /mnt/share1

or you can put it in your fstab file like this: 

//win10/share1   /mnt/share1   cifs   uid=1000,gid=1000,_netdev, credentials=/root/creds.txt   0 0

file_mode and dir_mode

The examples above will set the mointpoint to rwxr-xr-x. If you want something other than that, you can use the file_mode and dir_mode options. file_mode controls permissions on files inside the mountpoint, and dir_mode controls permissions on folders inside the mountpoint. You’ll need to specify your permissions in number format: 

file mode cheat sheet:
7 = rwx
6 = rw-
5 = r-x
4 = r--

The default mode for both is 0755.

You can manually mount like this: 

mount -o uid=1000,gid=1000,file_mode=0755,dir_mode=0755,credentials=/root/creds.txt //win10/share1 /mnt/share1

or you can put it in your fstab file like this: 

//win10/share1   /mnt/share1   cifs   uid=1000,gid=1000,file_mode=0755,dir_mode=0755,_netdev, credentials=/root/creds.txt   0 0

Multiple mountpoint credentials

By default, CIFS mounts only use a single set of user credentials (the mount credentials) when accessing a share, which should be adequate for almost any use case. However, if you need to take it to the next level and have the kernel create a new session with the server using the user's credentials whenever a new user accesses the mount, there is a way! Look in the manual and find the section that describes the MULTIUSER option. 

man mount.cifs

MountCifsFstabSecurely (last edited 2020-08-04 01:54:46 by shippj)