← Back to team overview

kernel-packages team mailing list archive

[Bug 1247710] Re: CIFS kernel sockets do not belong to any UID

 

[Expired for linux (Ubuntu) because there has been no activity for 60
days.]

** Changed in: linux (Ubuntu)
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1247710

Title:
  CIFS kernel sockets do not belong to any UID

Status in “linux” package in Ubuntu:
  Expired

Bug description:
  I have a Kubuntu which uses a customized UFW to do egress filtering.
  The default policy of the OUTPUT chain is REJECT, which means that NO process is allowed to send packets until I have explicitly allowed it.
  To allow output packets on a per-user base, I use the "-m owner --uid-owner username" match of iptables.

  Unfortunately, CIFS mounting kept failing even though I've allowed
  root to send packets. So I experimented with the UIDs to find out
  which UID the kernel uses for CIFS.

  As "--uid-owner" supports user ranges, I was able to determine that the packets do not belong to ANY valid UID:
  The following rule makes CIFS mounts succeed:
  -A ufw-before-output -m owner --socket-exists ! --uid-owner 0-4294967294 -o eth0 --dest 192.168.1.1 -p tcp --dport 445 -j ACCEPT

  The inversion of the UID-owner match in the same rule makes them NOT succeed:
  -A ufw-before-output -m owner --socket-exists ! --uid-owner 0-4294967294 -o eth0 --dest 192.168.1.1 -p tcp --dport 445 -j ACCEPT

  Incrementing the maximal UID of the range by 1 to 4294967295 makes iptables complain that the UID is out of range.
  So the range of ALL UIDs available in the Linux kernel is indeed 0-4294967294, and CIFS mounts only work if we assume the packets to be OUT of that range. So the packets are missing an UID.

  Distro = Kubuntu 12.10 amd64
  Kernel package = linux-image-3.5.0-42-generic
  Kernel package version = 3.5.0-42.65

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1247710/+subscriptions