https://bugzilla.novell.com/show_bug.cgi?id=870607 https://bugzilla.novell.com/show_bug.cgi?id=870607#c1 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com --- Comment #1 from Marcus Meissner 2014-03-27 18:55:00 UTC --- this sounds like a unsafe filename.... is it ensured to be opened safely? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=870607 https://bugzilla.novell.com/show_bug.cgi?id=870607#c Lars Müller changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|winbind profile needs |winbind profile needs rw |access to |access to /var/tmp/ |/var/tmp/$hostname-044_$uid | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=870607 https://bugzilla.novell.com/show_bug.cgi?id=870607#c7 Lars Müller changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |lmuelle@suse.com --- Comment #7 from Lars Müller 2014-04-01 00:20:13 CEST --- This is the case if we're in a kerberized environment. The first part of the file name is the client's, our own hostname directly followed by a _ char. This is not caused directly by Samba code or one of our libraries. This is the result of linking against libgssapi_krb5 from the krb5 package. Maybe we have to export KRB5RCACHETYPE from winbindd systemd service file. See http://web.mit.edu/kerberos/krb5-devel/doc/basic/rcache_def.html I'll test this later today. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=870607 https://bugzilla.novell.com/show_bug.cgi?id=870607#c9 --- Comment #9 from Lars Müller 2014-04-01 14:39:16 CEST --- And that all doesn't help us as by this we only would be able to point to a different directory than /var/tmp I'm checking the krb5 sources next. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=870607 https://bugzilla.novell.com/show_bug.cgi?id=870607#c11 --- Comment #11 from Lars Müller 2014-04-01 16:14:43 CEST --- That's how the permissions would look like in the directory: vejle:~ # LC_ALL=POSIX ls -al /var/cache/krb5rcache/ total 4 drwxrwx--- 1 root root 30 Apr 1 16:11 . drwxr-xr-x 1 root root 170 Apr 1 15:59 .. -rw------- 1 LURCH\larsm root 165 Apr 1 16:11 vejle-044_10000 This would require two changes: a) Add ls -al /var/cache/krb5rcache/ with the described permission set (0770)to the samba-winbind package b) Add Environment=KRB5RCACHEDIR=/var/cache/krb5rcache to the winbind.service file. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=870607 https://bugzilla.novell.com/show_bug.cgi?id=870607#c Lars Müller changed: What |Removed |Added ---------------------------------------------------------------------------- Summary|winbind profile needs rw |winbind profile needs rw |access to /var/tmp/ |access to | |/var/cache/krb5rcache -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=870607 https://bugzilla.novell.com/show_bug.cgi?id=870607#c15 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|suse-beta@cboltz.de | --- Comment #15 from Christian Boltz 2014-04-01 23:46:28 CEST --- (In reply to comment #10)

Would it be ok to limit (rw) access for winbindd to /var/cache/krb5rcache/ (KRB5RCACHEDIR)?

(In reply to comment #11)

That's how the permissions would look like in the directory:

vejle:~ # LC_ALL=POSIX ls -al /var/cache/krb5rcache/ total 4 drwxrwx--- 1 root root 30 Apr 1 16:11 . drwxr-xr-x 1 root root 170 Apr 1 15:59 .. -rw------- 1 LURCH\larsm root 165 Apr 1 16:11 vejle-044_10000

Allowing a directory that is only writeable for a specific user (in this case root or someone in the root group - typically only root) is _much_ better than /var/tmp/ where everybody can do funny stuff. Your SR looks good at the first look, but I'll give it a second look before accepting it (might take some days - I'm too busy at the moment :-( ) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=870607 https://bugzilla.novell.com/show_bug.cgi?id=870607#c17 Lars Müller changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |meissner@suse.com --- Comment #17 from Lars Müller 2014-04-16 20:41:36 CEST --- @Marcus: Does the permission set described with comment#11 look sane to you to address your concern(s) raised with comment#1? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=870607 https://bugzilla.novell.com/show_bug.cgi?id=870607#c19 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|meissner@suse.com |lmuelle@suse.com --- Comment #19 from Christian Boltz 2014-04-21 22:16:27 CEST --- For the records: Commited to upstream trunk r2461 - AppArmor 2.9 beta2 will contain it. Lars, IMHO it would make sense to make /var/cache/krb5rcache (instead of /var/tmp/) the default KRB5RCACHEDIR in samba. Can you please send a patch upstream? ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=870607 https://bugzilla.novell.com/show_bug.cgi?id=870607#c21 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED InfoProvider|lmuelle@suse.com | Resolution| |FIXED --- Comment #21 from Christian Boltz 2014-04-28 13:28:01 CEST --- Since this is fixed in the 2.8.3 openSUSE package and also in upstream trunk, I'm closing the bug as fixed. If I release an update for 12.x, it will also contain the fix. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=870607 https://bugzilla.novell.com/show_bug.cgi?id=870607#c23 --- Comment #23 from Bernhard Wiedemann 2014-06-23 17:02:30 CEST --- This is an autogenerated message for OBS integration: This bug (870607) was mentioned in https://build.opensuse.org/request/show/238391 13.1 / samba -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=870607 https://bugzilla.novell.com/show_bug.cgi?id=870607#c24 --- Comment #24 from Swamp Workflow Management 2014-07-01 10:08:40 UTC --- openSUSE-SU-2014:0859-1: An update that solves four vulnerabilities and has 13 fixes is now available. Category: security (moderate) Bug References: 846586,866354,866927,869707,870570,870607,870957,871701,872396,873177,873658,874180,874656,875046,879390,880962,883758 CVE References: CVE-2014-0178,CVE-2014-0239,CVE-2014-0244,CVE-2014-3493 Sources used: openSUSE 13.1 (src): samba-4.1.9-3.22.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=870607 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:2889:moderate |obs:running:2889:moderate |obs:running:3208:low |obs:running:3208:low | |obs:running:3210:low -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=870607 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:2889:moderate |obs:running:2889:moderate |obs:running:3208:moderate |obs:running:3208:moderate | |obs:running:3210:moderate -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=870607 --- Comment #26 from Swamp Workflow Management --- openSUSE-RU-2014:1483-1: An update that has 13 recommended fixes can now be installed. Category: recommended (moderate) Bug References: 857122,863226,869787,870607,874094,885317,886225,889650,889651,889652,892374,899746,904620 CVE References: Sources used: openSUSE 13.1 (src): apparmor-2.8.4-4.17.1 -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.novell.com/show_bug.cgi?id=870607 Swamp Workflow Management changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:3208:moderate |obs:running:3208:moderate |obs:running:3210:moderate | -- You are receiving this mail because: You are on the CC list for the bug.