Ubuntu
samba package

samba install flushes iptables and sets all chains to policy accept

Bug #1921941 reported by R Kendal
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

I have been tracking down why my iptables have been getting flushed in a VM.

This is what it lead me to...

sudo iptables -L -n
sudo apt-get install -yq samba
sudo iptables -L -n

The iptables listing before the samba install is long.

The iptables listing after the samba install have been flushed and all
chains are set to policy ACCEPT!

Ubuntu 20.04.2

samba --verision
Version 4.11.6-Ubuntu

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: samba 2:4.11.6+dfsg-0ubuntu1.6
ProcVersionSignature: Ubuntu 5.4.0-70.78-generic 5.4.94
Uname: Linux 5.4.0-70-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.16
Architecture: amd64
CIFSMounts:
 /mnt/v //192.168.1.5/picasso_digital cifs ro,relatime,vers=3.02,cache=strict,username=picassoUSER,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.5,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1
 /mnt/pshare //192.168.1.5/pshare/picasso.digital[/picasso.digital] cifs rw,relatime,vers=3.02,cache=strict,username=picassoUSER,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.5,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1
CasperMD5CheckResult: skip
Date: Tue Mar 30 14:18:30 2021
InstallationDate: Installed on 2021-03-30 (0 days ago)
InstallationMedia:

SambaClientRegression: Yes
SourcePackage: samba
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
R Kendal (r-kendal) wrote :
Steve Beattie (sbeattie)
information type: Private Security → Public Security
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hello, sorry you are having this issue.

Unfortunately I am unable to reporduce this, with samba 2:4.11.6+dfsg-0ubuntu1.6 from focal, either by applying iptables rules manually or enabling firewall rules with ufw:

  $ sudo iptables -D INPUT -i lo -j LOG
  $ sudo iptables -L INPUT -n
  Chain INPUT (policy ACCEPT)
  target prot opt source destination
  LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4
  $ sudo apt install samba
    [ELIDED]
  $ sudo iptables -L INPUT -n
  Chain INPUT (policy ACCEPT)
  target prot opt source destination
  LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4

What are you using to apply firewall rules? None of the samba packages directly manipulate iptables in their postinstall scripts or in their service startup files that I can see. The samba package does drop an application file for ufw in /etc/ufw/applications.d/samba, but if ufw is not enabled, this should not be applied, nor should the ufw trigger that runs at the end of the installation touch iptables settings.

Revision history for this message
R Kendal (r-kendal) wrote : Re: [Bug 1921941] Re: samba install flushes iptables and sets all chains to policy accept
Download full text (3.7 KiB)

Hi,
I am glad to hear you never found anything.

Currently I see the issue in the midst of a long provisioning script.

My three lines of script are accurate in-so-far as within my
provisioning iptables are modified with "sudo apt-get install -yq
samba"

I will shrink down my provisioning script to see what arises.
I will get back to you.

PS: you said you installed samba 2:4.11.6+dfsg-0ubuntu1.6

As I posted in my original message, when I run "samba --version" I get this...
Version 4.11.6-Ubuntu

On 30/03/2021, Steve Beattie <email address hidden> wrote:
> Hello, sorry you are having this issue.
>
> Unfortunately I am unable to reporduce this, with samba 2:4.11.6+dfsg-
> 0ubuntu1.6 from focal, either by applying iptables rules manually or
> enabling firewall rules with ufw:
>
> $ sudo iptables -D INPUT -i lo -j LOG
> $ sudo iptables -L INPUT -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
> level 4
> $ sudo apt install samba
> [ELIDED]
> $ sudo iptables -L INPUT -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
> level 4
>
> What are you using to apply firewall rules? None of the samba packages
> directly manipulate iptables in their postinstall scripts or in their
> service startup files that I can see. The samba package does drop an
> application file for ufw in /etc/ufw/applications.d/samba, but if ufw is
> not enabled, this should not be applied, nor should the ufw trigger that
> runs at the end of the installation touch iptables settings.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1921941
>
> Title:
> samba install flushes iptables and sets all chains to policy accept
>
> Status in samba package in Ubuntu:
> New
>
> Bug description:
> I have been tracking down why my iptables have been getting flushed in
> a VM.
>
> This is what it lead me to...
>
> sudo iptables -L -n
> sudo apt-get install -yq samba
> sudo iptables -L -n
>
> The iptables listing before the samba install is long.
>
> The iptables listing after the samba install have been flushed and all
> chains are set to policy ACCEPT!
>
> Ubuntu 20.04.2
>
> samba --verision
> Version 4.11.6-Ubuntu
>
> ProblemType: Bug
> DistroRelease: Ubuntu 20.04
> Package: samba 2:4.11.6+dfsg-0ubuntu1.6
> ProcVersionSignature: Ubuntu 5.4.0-70.78-generic 5.4.94
> Uname: Linux 5.4.0-70-generic x86_64
> ApportVersion: 2.20.11-0ubuntu27.16
> Architecture: amd64
> CIFSMounts:
> /mnt/v //192.168.1.5/picasso_digital cifs
> ro,relatime,vers=3.02,cache=strict,username=picassoUSER,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.5,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1
> /mnt/pshare //192.168.1.5/pshare/picasso.digital[/picasso.digital] cifs
> rw,relatime,vers=3.02,cache=strict,username=picassoUSER,uid...

Read more...

Revision history for this message
R Kendal (r-kendal) wrote :
Download full text (3.6 KiB)

Many VMs of testing later and I have this to report...

In my file /etc/network/interfaces.d/enp0s9.cfg I had this line...
pre-up iptables-restore < /etc/iptables/rules.v4

Unbeknownst to me, that cfg file was being triggered by ufw through the
samba install, before I had saved the iptables.

Thankyou for your time with this.
I am happy the problem was just on my end!

Regards,
Kendal

On Tue, 30 Mar 2021 at 23:00, Steve Beattie <email address hidden>
wrote:

> Hello, sorry you are having this issue.
>
> Unfortunately I am unable to reporduce this, with samba 2:4.11.6+dfsg-
> 0ubuntu1.6 from focal, either by applying iptables rules manually or
> enabling firewall rules with ufw:
>
> $ sudo iptables -D INPUT -i lo -j LOG
> $ sudo iptables -L INPUT -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags
> 0 level 4
> $ sudo apt install samba
> [ELIDED]
> $ sudo iptables -L INPUT -n
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags
> 0 level 4
>
> What are you using to apply firewall rules? None of the samba packages
> directly manipulate iptables in their postinstall scripts or in their
> service startup files that I can see. The samba package does drop an
> application file for ufw in /etc/ufw/applications.d/samba, but if ufw is
> not enabled, this should not be applied, nor should the ufw trigger that
> runs at the end of the installation touch iptables settings.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1921941
>
> Title:
> samba install flushes iptables and sets all chains to policy accept
>
> Status in samba package in Ubuntu:
> New
>
> Bug description:
> I have been tracking down why my iptables have been getting flushed in
> a VM.
>
> This is what it lead me to...
>
> sudo iptables -L -n
> sudo apt-get install -yq samba
> sudo iptables -L -n
>
> The iptables listing before the samba install is long.
>
> The iptables listing after the samba install have been flushed and all
> chains are set to policy ACCEPT!
>
> Ubuntu 20.04.2
>
> samba --verision
> Version 4.11.6-Ubuntu
>
> ProblemType: Bug
> DistroRelease: Ubuntu 20.04
> Package: samba 2:4.11.6+dfsg-0ubuntu1.6
> ProcVersionSignature: Ubuntu 5.4.0-70.78-generic 5.4.94
> Uname: Linux 5.4.0-70-generic x86_64
> ApportVersion: 2.20.11-0ubuntu27.16
> Architecture: amd64
> CIFSMounts:
> /mnt/v //192.168.1.5/picasso_digital
> cifs
> ro,relatime,vers=3.02,cache=strict,username=picassoUSER,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.5,file_mode=0755,dir_mode=0755,soft,nounix,serverino,mapposix,rsize=4194304,wsize=4194304,bsize=1048576,echo_interval=60,actimeo=1
> /mnt/pshare //192.168.1.5/pshare/picasso.digital[/picasso.digital]
> <http://192.168.1.5/pshare/picasso.digital%5B/picasso.digital%5D> cifs
> rw,relatime,vers=3.02,cache=strict,username=picassoUSER,uid=0,noforceuid,gid=0,noforcegid,addr=192.168.1.5,file_...

Read more...

Revision history for this message
Paride Legovini (paride) wrote :

Hello and thanks for you follow up! Happy to hear that you found the root cause of the issue. As this was a local configuration problem rather than a bug in Ubuntu I'm setting the status of this bug to Invalid. Should you believe there is actually a bug here please comment back with your findings and change the bug status back to New, we'll look at it again. Thanks!

Changed in samba (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.