FS#69114 - [samba] 4.13.3-2 visudo reports incorrect permissions
Attached to Project:
Arch Linux
Opened by Florian Rüchel (javex) - Saturday, 26 December 2020, 01:20 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 28 March 2022, 07:30 GMT
Opened by Florian Rüchel (javex) - Saturday, 26 December 2020, 01:20 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 28 March 2022, 07:30 GMT
|
Details
Description:
When running "visudo -c" I get the following report from it: /etc/sudoers.d/ctdb: bad permissions, should be mode 0440 "pacman -Qo /etc/sudoers.d/ctdb" reports this is owned by samba: /etc/sudoers.d/ctdb is owned by samba 4.13.3-2 The reported permissions from "stat /etc/sudoers.d/ctdb" are as follows: File: /etc/sudoers.d/ctdb Size: 100 Blocks: 8 IO Block: 4096 regular file Device: fd01h/64769d Inode: 6993 Links: 1 Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2020-12-26 11:43:19.544762379 +1030 Modify: 2020-12-19 17:37:04.000000000 +1030 Change: 2020-12-26 11:44:23.120724231 +1030 Birth: 2020-12-25 11:13:32.652300209 +1030 If I fix the permissions with "chmod 0400 /etc/sudoers.d/ctdb" the warning goes away but "pacman -Qkk samba" now reports: warning: samba: /etc/sudoers.d/ctdb (Permissions mismatch) samba: 1735 total files, 1 altered file I can't find any documentation on visudo to suggest that this might be some local configuration so I'm working on the assumption that this is a fixed expectation and 0440 (or less) is what this file should have. I couldn't find any way to raise a pull request or directly contribute a fix, but I was able to dig up https://github.com/archlinux/svntogit-packages/blob/packages/samba/trunk/PKGBUILD#L200 which seems where the fix would be made. I've attached a diff output that hopefully would be a suitable patch (I went with 0400 to avoid adding permissions with this change). From what I can tell, this is an issue with the packaging, not the upstream source, so I reported it here. In case this is wrong, I'm happy to report it upstream instead. Let me know if there's any additional information you need. |
This task depends upon
Closed by Tobias Powalowski (tpowa)
Monday, 28 March 2022, 07:30 GMT
Reason for closing: Fixed
Additional comments about closing: 4.16.0-2
Monday, 28 March 2022, 07:30 GMT
Reason for closing: Fixed
Additional comments about closing: 4.16.0-2
> In RHEL 6+, rpc.statd runs as "rpcuser" instead of root as on RHEL 5. This prevents CTDB tool commands talking to daemon since "rpcuser" cannot access CTDB socket.
On Arch Linux, there does not seem to be a user called "rpcuser", and rpc-statd.service from core/nfs-utils is running as nobody (possibly after dropping root privileges).
[1] https://gitlab.com/samba-team/samba/-/commit/d931e73fb83fe1ced9c41b06c15060fd18aff3d7