kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #26463
[Bug 1247710] Missing required logs.
This bug is missing log files that will aid in diagnosing the problem.
>From a terminal window please run:
apport-collect 1247710
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable
to run this command, please add a comment stating that fact and change
the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the
Ubuntu Kernel Team.
** Changed in: linux (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1247710
Title:
CIFS kernel sockets do not belong to any UID
Status in “linux” package in Ubuntu:
Incomplete
Bug description:
I have a Kubuntu which uses a customized UFW to do egress filtering.
The default policy of the OUTPUT chain is REJECT, which means that NO process is allowed to send packets until I have explicitly allowed it.
To allow output packets on a per-user base, I use the "-m owner --uid-owner username" match of iptables.
Unfortunately, CIFS mounting kept failing even though I've allowed
root to send packets. So I experimented with the UIDs to find out
which UID the kernel uses for CIFS.
As "--uid-owner" supports user ranges, I was able to determine that the packets do not belong to ANY valid UID:
The following rule makes CIFS mounts succeed:
-A ufw-before-output -m owner --socket-exists ! --uid-owner 0-4294967294 -o eth0 --dest 192.168.1.1 -p tcp --dport 445 -j ACCEPT
The inversion of the UID-owner match in the same rule makes them NOT succeed:
-A ufw-before-output -m owner --socket-exists ! --uid-owner 0-4294967294 -o eth0 --dest 192.168.1.1 -p tcp --dport 445 -j ACCEPT
Incrementing the maximal UID of the range by 1 to 4294967295 makes iptables complain that the UID is out of range.
So the range of ALL UIDs available in the Linux kernel is indeed 0-4294967294, and CIFS mounts only work if we assume the packets to be OUT of that range. So the packets are missing an UID.
Distro = Kubuntu 12.10 amd64
Kernel package = linux-image-3.5.0-42-generic
Kernel package version = 3.5.0-42.65
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1247710/+subscriptions