← Back to team overview

kernel-packages team mailing list archive

[Bug 1247710] Re: CIFS kernel sockets do not belong to any UID

 

Thanks for taking the time to report this bug and helping to make Ubuntu
better. We appreciate the difficulties you are facing, but this appears
to be a "regular" (non-security) bug.  I have unmarked it as a security
issue since this bug does not show evidence of allowing attackers to
cross privilege boundaries nor directly cause loss of data/privacy.
Please feel free to report any other bugs you may find.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1247710

Title:
  CIFS kernel sockets do not belong to any UID

Status in “linux” package in Ubuntu:
  New

Bug description:
  I have a Kubuntu which uses a customized UFW to do egress filtering.
  The default policy of the OUTPUT chain is REJECT, which means that NO process is allowed to send packets until I have explicitly allowed it.
  To allow output packets on a per-user base, I use the "-m owner --uid-owner username" match of iptables.

  Unfortunately, CIFS mounting kept failing even though I've allowed
  root to send packets. So I experimented with the UIDs to find out
  which UID the kernel uses for CIFS.

  As "--uid-owner" supports user ranges, I was able to determine that the packets do not belong to ANY valid UID:
  The following rule makes CIFS mounts succeed:
  -A ufw-before-output -m owner --socket-exists ! --uid-owner 0-4294967294 -o eth0 --dest 192.168.1.1 -p tcp --dport 445 -j ACCEPT

  The inversion of the UID-owner match in the same rule makes them NOT succeed:
  -A ufw-before-output -m owner --socket-exists ! --uid-owner 0-4294967294 -o eth0 --dest 192.168.1.1 -p tcp --dport 445 -j ACCEPT

  Incrementing the maximal UID of the range by 1 to 4294967295 makes iptables complain that the UID is out of range.
  So the range of ALL UIDs available in the Linux kernel is indeed 0-4294967294, and CIFS mounts only work if we assume the packets to be OUT of that range. So the packets are missing an UID.

  Distro = Kubuntu 12.10 amd64
  Kernel package = linux-image-3.5.0-42-generic
  Kernel package version = 3.5.0-42.65

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1247710/+subscriptions