Bug#1100710: autofs ignore $UID in program maps

Vincent Danjean Mon, 17 Mar 2025 10:45:29 -0700

Package: autofs
Version: 5.1.9-1.2+b1
Severity: normal

  Hi,


  I'm trying to create a cifs automount setup working in a kerberos environment.
I'm using sec=krk5,multiuser and this part works fine (i.e. a mount point can
be shared between different users, each one will have its own rights).

  With a server where no credentials is required to do the initial mount (or if
the root/machine credentials are enough), then all is working fine : root does
the mount, and, due to the multiuser option, access checks are done later (when
entering in the mount point).

  But, if the mount operation is restricted to some users (and disallowed to
root), cifs proposes the cruid option to specify the UID to use for the mount.

  Looking at autofs documentation, it seems that the $UID pseudo-variable
should works. And, indeed, with a static map, it works fine.

  However, with a program map generating a multi-map (similar to what is
proposed by the auto.cifs sample file), the $UID is not expanded or expanded to
0.

  I tried various quoting, without any success. When I look at automount logs
(of course, I started automount with the -d option), I see one of the following
values:
cruid=
cruid=0
cruid=$UID

But never the real UID of the user trying to enter in the mount point (it
worked with a static map however, as said before).

  I tried to workaround this issue by trying to read the AUTOFS_UID variable,
but this variable is never defined in the environment:
- not at the time where the program map is called (not interesting here, as
  the is the time where the list of shares is generated, but not yet acceded)
- and not at the time the mount programm is called (I checked by using a fake
  fs type (cifs2) and creating a wrapper /sbin/mount.cifs2 to check the
  environment before calling the real /sbin/mount.cifs).


Here is a static map that works fine:
titi 
-fstype=cifs2,multiuser,sec=krb5,mfsymlinks,cifsacl,mapposix,domain=KRBDOMAIN \
         "/DATA_SHARE" -cruid=${UID} "://cifsserver/DATA_SHARE" \
         "/TEST-SHARE" "://cifsserver/TEST-SHARE"

And a program map that does not work:
#!/bin/bash
cat <<EOF
-fstype=cifs2,multiuser,sec=krb5,mfsymlinks,cifsacl,mapposix,domain=KRBDOMAIN \
         "/DATA_SHARE" -cruid=${UID} "://cifsserver/DATA_SHARE" \
         "/TEST-SHARE" "://cifsserver/TEST-SHARE"
EOF

In the first case (static map), I log the following info:
2025-03-17T18:26:29.387039+01:00 di3224su automount[1505873]: 
handle_packet_missing_direct: token 1061, name 
/srv/autofs/cifs3/titi/DATA_SHARE, request pid 1505907
2025-03-17T18:26:29.387081+01:00 di3224su automount[1505873]: pidinfo 
requestor: pid:1505907 comm:ls tgid:1505907 uid:257253 euid:257253 gid:100513 
egid:100513
2025-03-17T18:26:29.387114+01:00 di3224su automount[1505873]: pidinfo parent: 
pid:2413172 comm:bash tgid:2413172 uid:257253 euid:257253 gid:100513 egid:100513
2025-03-17T18:26:29.387146+01:00 di3224su automount[1505873]: attempting to 
mount entry /srv/autofs/cifs3/titi/DATA_SHARE
2025-03-17T18:26:29.387183+01:00 di3224su automount[1505873]: lookup_mount: 
lookup(file): looking up /srv/autofs/cifs3/titi/DATA_SHARE
2025-03-17T18:26:29.387216+01:00 di3224su automount[1505873]: lookup_mount: 
lookup(file): /srv/autofs/cifs3/titi/DATA_SHARE -> 
-fstype=cifs2,multiuser,sec=krb5,mfsymlinks,cifsacl,mapposix,domain=KRBDOMAIN,cruid=257253
 ://cifsserver/DATA_SHARE
2025-03-17T18:26:29.387248+01:00 di3224su automount[1505873]: parse_mount: 
parse(sun): expanded entry: 
-fstype=cifs2,multiuser,sec=krb5,mfsymlinks,cifsacl,mapposix,domain=KRBDOMAIN,cruid=257253
 ://cifsserver/DATA_SHARE
2025-03-17T18:26:29.387283+01:00 di3224su automount[1505873]: parse_mount: 
parse(sun): gathered options: 
fstype=cifs2,multiuser,sec=krb5,mfsymlinks,cifsacl,mapposix,domain=KRBDOMAIN,cruid=257253
2025-03-17T18:26:29.387318+01:00 di3224su automount[1505873]: sun_mount: 
parse(sun): mounting root /srv/autofs/cifs3/titi/DATA_SHARE, mountpoint 
/srv/autofs/cifs3/titi/DATA_SHARE, what //cifsserver/DATA_SHARE, fstype cifs2, 
options 
multiuser,sec=krb5,mfsymlinks,cifsacl,mapposix,domain=KRBDOMAIN,cruid=257253
2025-03-17T18:26:29.387351+01:00 di3224su automount[1505873]: do_mount: 
//cifsserver/DATA_SHARE /srv/autofs/cifs3/titi/DATA_SHARE type cifs2 options 
multiuser,sec=krb5,mfsymlinks,cifsacl,mapposix,domain=KRBDOMAIN,cruid=257253 
using module generic
2025-03-17T18:26:29.387383+01:00 di3224su automount[1505873]: mount_mount: 
mount(generic): calling mkdir_path /srv/autofs/cifs3/titi/DATA_SHARE
2025-03-17T18:26:29.387423+01:00 di3224su automount[1505873]: mount(generic): 
calling mount -t cifs2 -o 
multiuser,sec=krb5,mfsymlinks,cifsacl,mapposix,domain=KRBDOMAIN,cruid=257253 
//cifsserver/DATA_SHARE /srv/autofs/cifs3/titi/DATA_SHARE
2025-03-17T18:26:29.405209+01:00 di3224su automount[1505873]: >> mount.cifs 
kernel mount options: 
ip=10.7.16.72,unc=\\cifsserver\DATA_SHARE,multiuser,sec=krb5,mfsymlinks,cifsacl,mapposix,cruid=257253,user=root,domain=KRBDOMAIN,pass=********
[kerberos cifs.upcall with creduid=0x3ece5, i.e. 257253]
2025-03-17T18:26:30.039660+01:00 di3224su automount[1505873]: mount_mount: 
mount(generic): mounted //cifsserver/DATA_SHARE type cifs2 on 
/srv/autofs/cifs3/titi/DATA_SHARE
2025-03-17T18:26:30.041463+01:00 di3224su automount[1505873]: 
dev_ioctl_send_ready: token = 1061
2025-03-17T18:26:30.041548+01:00 di3224su automount[1505873]: mounted 
/srv/autofs/cifs3/titi/DATA_SHARE


In the second case (program map), I log the following info:
2025-03-17T18:28:12.215958+01:00 di3224su automount[1505873]: 
handle_packet_missing_direct: token 1066, name 
/srv/autofs/cifs2/cifsserver/DATA_SHARE, request pid 1505955
2025-03-17T18:28:12.216054+01:00 di3224su automount[1505873]: pidinfo 
requestor: pid:1505955 comm:ls tgid:1505955 uid:257253 euid:257253 gid:100513 
egid:100513
2025-03-17T18:28:12.216196+01:00 di3224su automount[1505873]: pidinfo parent: 
pid:2413172 comm:bash tgid:2413172 uid:257253 euid:257253 gid:100513 egid:100513
2025-03-17T18:28:12.216268+01:00 di3224su automount[1505873]: attempting to 
mount entry /srv/autofs/cifs2/cifsserver/DATA_SHARE
2025-03-17T18:28:12.216430+01:00 di3224su automount[1505873]: lookup_mount: 
lookup(program): /srv/autofs/cifs2/cifsserver/DATA_SHARE -> 
-fstype=cifs2,multiuser,sec=krb5,mfsymlinks,cifsacl,mapposix,domain=KRBDOMAIN,cruid=0
 ://cifsserver/DATA_SHARE
2025-03-17T18:28:12.216500+01:00 di3224su automount[1505873]: parse_mount: 
parse(sun): expanded entry: 
-fstype=cifs2,multiuser,sec=krb5,mfsymlinks,cifsacl,mapposix,domain=KRBDOMAIN,cruid=0
 ://cifsserver/DATA_SHARE
2025-03-17T18:28:12.216543+01:00 di3224su automount[1505873]: parse_mount: 
parse(sun): gathered options: 
fstype=cifs2,multiuser,sec=krb5,mfsymlinks,cifsacl,mapposix,domain=KRBDOMAIN,cruid=0
2025-03-17T18:28:12.216576+01:00 di3224su automount[1505873]: sun_mount: 
parse(sun): mounting root /srv/autofs/cifs2/cifsserver/DATA_SHARE, mountpoint 
/srv/autofs/cifs2/cifsserver/DATA_SHARE, what //cifsserver/DATA_SHARE, fstype 
cifs2, options 
multiuser,sec=krb5,mfsymlinks,cifsacl,mapposix,domain=KRBDOMAIN,cruid=0
2025-03-17T18:28:12.216614+01:00 di3224su automount[1505873]: do_mount: 
//cifsserver/DATA_SHARE /srv/autofs/cifs2/cifsserver/DATA_SHARE type cifs2 
options multiuser,sec=krb5,mfsymlinks,cifsacl,mapposix,domain=KRBDOMAIN,cruid=0 
using module generic
2025-03-17T18:28:12.216652+01:00 di3224su automount[1505873]: mount_mount: 
mount(generic): calling mkdir_path /srv/autofs/cifs2/cifsserver/DATA_SHARE
2025-03-17T18:28:12.216691+01:00 di3224su automount[1505873]: mount(generic): 
calling mount -t cifs2 -o 
multiuser,sec=krb5,mfsymlinks,cifsacl,mapposix,domain=KRBDOMAIN,cruid=0 
//cifsserver/DATA_SHARE /srv/autofs/cifs2/cifsserver/DATA_SHARE
2025-03-17T18:28:12.253009+01:00 di3224su automount[1505873]: >> mount.cifs 
kernel mount options: 
ip=10.7.16.87,unc=\\cifsserver\DATA_SHARE,multiuser,sec=krb5,mfsymlinks,cifsacl,mapposix,cruid=0,user=root,domain=KRBDOMAIN,pass=********
2025-03-17T18:28:12.253419+01:00 di3224su kernel: [5285802.001330] CIFS: 
Attempting to mount //cifsserver/DATA_SHARE
[kerberos cifs.upcall with creduid=0]
2025-03-17T18:28:12.276659+01:00 di3224su automount[1505873]: >> mount 
error(13): Permission denied


I'm a missing something? Is it a bug? Is there a workaround?

  Regards,
    Vincent

Just for completion, here is my /sbin/mount.cifs2 wrapper:
#!/bin/bash
echo "==========================================" >> /test
env >> /test
echo "ARGS: $@" >> /test
echo "id: $(id)" >> /test
exec /sbin/mount.cifs "$@"



-- System Information:
Debian Release: trixie/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 
'oldstable-updates'), (500, 'oldstable-security'), (500, 'unstable'), (500, 
'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armel

Kernel: Linux 6.12.17-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_OOT_MODULE
Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages autofs depends on:
ii  init-system-helpers  1.68
ii  libc6                2.41-4
ii  libnsl2              1.3.0-3+b3
ii  libtirpc3t64         1.3.4+ds-1.3+b1
ii  libxml2              2.12.7+dfsg+really2.9.14-0.3+b1
ii  ucf                  3.0050

Versions of packages autofs recommends:
ii  e2fsprogs   1.47.2-1
ii  kmod        34.1-2
ii  nfs-common  1:2.8.2-3

autofs suggests no packages.

-- no debconf information

Bug#1100710: autofs ignore $UID in program maps

Reply via email to