I am trying to setup an auto-mounting network drive. The network drive requires a user/pass. In the man page for "mount.cifs" there are two ways to provide the user/pass.
- [not recommended] put the user/pass in /etc/fstab
- create a separate credentials file and put the user/pass in the credentials file
"[option 2] is preferred over having passwords in plaintext in a shared file, such as /etc/fstab. Be sure to protect any credentials file properly."
- My background is: software developer, lots of linux software development (installing development libraries, installing applications like Eclipse, or java). I am not an IT or sysadmin guy.
- This is on my own development machine
Given my lack of IT/sysadmin background, what is the standard suggested method for "protecting any credentials file properly"?
(I would also appreciate, if there are multiple methods for protecting the credentials file, to please list in order of most common to least and describe the tradeoffs.)
Best Answer
It looks like the man page snippets you quoted refer to the basic level of security that standard file ownership and permissions provide. The configuration file
/etc/fstab
is readable by any user on the system. A safer place to store sensitive information would be a file with permissions allowing to be read only by the owner. I understand that in your case, the user would be root.Let's say you put the file in
/etc/
and name itcifs-cred
(create and edit it as root). Then you'd useThat will assure only the owner (which should be root) will have access to the contents. Otherwise, if such setup did not allow proper working of your system setup, it could mean the file should be accessible to some special system user. In that case, you might need to try
or something like
-- depending on what *nix flavor your system is and the system daemons' configuration.
Other than that, if the system can be under any risk of being compromised, you should never trust unencrypted passwords. Depending solely on file permissions is rather naive - the file contents are protected only against minor security breaches.