FS#69114 - [samba] 4.13.3-2 visudo reports incorrect permissions

Attached to Project: Arch Linux
Opened by Florian Rüchel (javex) - Saturday, 26 December 2020, 01:20 GMT
Last edited by Tobias Powalowski (tpowa) - Monday, 28 March 2022, 07:30 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Tobias Powalowski (tpowa)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 3
Private No

Details

Description:

When running "visudo -c" I get the following report from it:

/etc/sudoers.d/ctdb: bad permissions, should be mode 0440

"pacman -Qo /etc/sudoers.d/ctdb" reports this is owned by samba:

/etc/sudoers.d/ctdb is owned by samba 4.13.3-2

The reported permissions from "stat /etc/sudoers.d/ctdb" are as follows:

File: /etc/sudoers.d/ctdb
Size: 100 Blocks: 8 IO Block: 4096 regular file
Device: fd01h/64769d Inode: 6993 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2020-12-26 11:43:19.544762379 +1030
Modify: 2020-12-19 17:37:04.000000000 +1030
Change: 2020-12-26 11:44:23.120724231 +1030
Birth: 2020-12-25 11:13:32.652300209 +1030

If I fix the permissions with "chmod 0400 /etc/sudoers.d/ctdb" the warning goes away but "pacman -Qkk samba" now reports:

warning: samba: /etc/sudoers.d/ctdb (Permissions mismatch)
samba: 1735 total files, 1 altered file

I can't find any documentation on visudo to suggest that this might be some local configuration so I'm working on the assumption that this is a fixed expectation and 0440 (or less) is what this file should have. I couldn't find any way to raise a pull request or directly contribute a fix, but I was able to dig up https://github.com/archlinux/svntogit-packages/blob/packages/samba/trunk/PKGBUILD#L200 which seems where the fix would be made. I've attached a diff output that hopefully would be a suitable patch (I went with 0400 to avoid adding permissions with this change).

From what I can tell, this is an issue with the packaging, not the upstream source, so I reported it here. In case this is wrong, I'm happy to report it upstream instead.

Let me know if there's any additional information you need.
This task depends upon

Closed by  Tobias Powalowski (tpowa)
Monday, 28 March 2022, 07:30 GMT
Reason for closing:  Fixed
Additional comments about closing:  4.16.0-2
Comment by Chih-Hsuan Yen (yan12125) - Saturday, 26 December 2020, 09:15 GMT
/etc/sudoers.d/ctdb seems not useful on Arch Linux. The upstream commit [1] that added this file says that:

> In RHEL 6+, rpc.statd runs as "rpcuser" instead of root as on RHEL 5. This prevents CTDB tool commands talking to daemon since "rpcuser" cannot access CTDB socket.

On Arch Linux, there does not seem to be a user called "rpcuser", and rpc-statd.service from core/nfs-utils is running as nobody (possibly after dropping root privileges).

[1] https://gitlab.com/samba-team/samba/-/commit/d931e73fb83fe1ced9c41b06c15060fd18aff3d7
Comment by Paolo (palmaway) - Monday, 01 February 2021, 17:58 GMT
I am experiencing the same issue. Since this essentially blocks the use of "visudo -c", and given that '/etc/sudoers.d/ctdb' is not useful on Arch as mentioned, I would be in favor of removing it from the Arch 'samba' package, rather than simply changing permissions on the file as suggested.

Loading...