Ubuntu
linux package

CIFS kernel sockets do not belong to any UID

Bug #1247710 reported by xor
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

I have a Kubuntu which uses a customized UFW to do egress filtering.
The default policy of the OUTPUT chain is REJECT, which means that NO process is allowed to send packets until I have explicitly allowed it.
To allow output packets on a per-user base, I use the "-m owner --uid-owner username" match of iptables.

Unfortunately, CIFS mounting kept failing even though I've allowed root to send packets. So I experimented with the UIDs to find out which UID the kernel uses for CIFS.

As "--uid-owner" supports user ranges, I was able to determine that the packets do not belong to ANY valid UID:
The following rule makes CIFS mounts succeed:
-A ufw-before-output -m owner --socket-exists ! --uid-owner 0-4294967294 -o eth0 --dest 192.168.1.1 -p tcp --dport 445 -j ACCEPT

The inversion of the UID-owner match in the same rule makes them NOT succeed:
-A ufw-before-output -m owner --socket-exists ! --uid-owner 0-4294967294 -o eth0 --dest 192.168.1.1 -p tcp --dport 445 -j ACCEPT

Incrementing the maximal UID of the range by 1 to 4294967295 makes iptables complain that the UID is out of range.
So the range of ALL UIDs available in the Linux kernel is indeed 0-4294967294, and CIFS mounts only work if we assume the packets to be OUT of that range. So the packets are missing an UID.

Distro = Kubuntu 12.10 amd64
Kernel package = linux-image-3.5.0-42-generic
Kernel package version = 3.5.0-42.65

Revision history for this message
xor (xor) wrote :

Sorry, there is an mistake in the following:
"The inversion of the UID-owner match in the same rule makes them NOT succeed:
-A ufw-before-output -m owner --socket-exists ! --uid-owner 0-4294967294 -o eth0 --dest 192.168.1.1 -p tcp --dport 445 -j ACCEPT"

It should have been this instead:
"The inversion of the UID-owner match in the same rule makes them NOT succeed:
-A ufw-before-output -m owner --socket-exists --uid-owner 0-4294967294 -o eth0 --dest 192.168.1.1 -p tcp --dport 445 -j ACCEPT"

Revision history for this message
Seth Arnold (seth-arnold) wrote : Bug is not a security issue

Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.

information type: Private Security → Public
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1247710

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.