← Back to team overview

kernel-packages team mailing list archive

[Bug 1247710] Missing required logs.


This bug is missing log files that will aid in diagnosing the problem.
>From a terminal window please run:

apport-collect 1247710

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable
to run this command, please add a comment stating that fact and change
the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the
Ubuntu Kernel Team.

** Changed in: linux (Ubuntu)
       Status: New => Incomplete

You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.

  CIFS kernel sockets do not belong to any UID

Status in “linux” package in Ubuntu:

Bug description:
  I have a Kubuntu which uses a customized UFW to do egress filtering.
  The default policy of the OUTPUT chain is REJECT, which means that NO process is allowed to send packets until I have explicitly allowed it.
  To allow output packets on a per-user base, I use the "-m owner --uid-owner username" match of iptables.

  Unfortunately, CIFS mounting kept failing even though I've allowed
  root to send packets. So I experimented with the UIDs to find out
  which UID the kernel uses for CIFS.

  As "--uid-owner" supports user ranges, I was able to determine that the packets do not belong to ANY valid UID:
  The following rule makes CIFS mounts succeed:
  -A ufw-before-output -m owner --socket-exists ! --uid-owner 0-4294967294 -o eth0 --dest -p tcp --dport 445 -j ACCEPT

  The inversion of the UID-owner match in the same rule makes them NOT succeed:
  -A ufw-before-output -m owner --socket-exists ! --uid-owner 0-4294967294 -o eth0 --dest -p tcp --dport 445 -j ACCEPT

  Incrementing the maximal UID of the range by 1 to 4294967295 makes iptables complain that the UID is out of range.
  So the range of ALL UIDs available in the Linux kernel is indeed 0-4294967294, and CIFS mounts only work if we assume the packets to be OUT of that range. So the packets are missing an UID.

  Distro = Kubuntu 12.10 amd64
  Kernel package = linux-image-3.5.0-42-generic
  Kernel package version = 3.5.0-42.65

To manage notifications about this bug go to: