CIFS kernel sockets do not belong to any UID
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
I have a Kubuntu which uses a customized UFW to do egress filtering.
The default policy of the OUTPUT chain is REJECT, which means that NO process is allowed to send packets until I have explicitly allowed it.
To allow output packets on a per-user base, I use the "-m owner --uid-owner username" match of iptables.
Unfortunately, CIFS mounting kept failing even though I've allowed root to send packets. So I experimented with the UIDs to find out which UID the kernel uses for CIFS.
As "--uid-owner" supports user ranges, I was able to determine that the packets do not belong to ANY valid UID:
The following rule makes CIFS mounts succeed:
-A ufw-before-output -m owner --socket-exists ! --uid-owner 0-4294967294 -o eth0 --dest 192.168.1.1 -p tcp --dport 445 -j ACCEPT
The inversion of the UID-owner match in the same rule makes them NOT succeed:
-A ufw-before-output -m owner --socket-exists ! --uid-owner 0-4294967294 -o eth0 --dest 192.168.1.1 -p tcp --dport 445 -j ACCEPT
Incrementing the maximal UID of the range by 1 to 4294967295 makes iptables complain that the UID is out of range.
So the range of ALL UIDs available in the Linux kernel is indeed 0-4294967294, and CIFS mounts only work if we assume the packets to be OUT of that range. So the packets are missing an UID.
Distro = Kubuntu 12.10 amd64
Kernel package = linux-image-
Kernel package version = 3.5.0-42.65
Sorry, there is an mistake in the following:
"The inversion of the UID-owner match in the same rule makes them NOT succeed:
-A ufw-before-output -m owner --socket-exists ! --uid-owner 0-4294967294 -o eth0 --dest 192.168.1.1 -p tcp --dport 445 -j ACCEPT"
It should have been this instead:
"The inversion of the UID-owner match in the same rule makes them NOT succeed:
-A ufw-before-output -m owner --socket-exists --uid-owner 0-4294967294 -o eth0 --dest 192.168.1.1 -p tcp --dport 445 -j ACCEPT"