From owner-freebsd-ports@FreeBSD.ORG Sun May 19 07:36:52 2013 Return-Path: Delivered-To: freebsd-ports@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 3A74E279 for ; Sun, 19 May 2013 07:36:52 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-ie0-x22e.google.com (mail-ie0-x22e.google.com [IPv6:2607:f8b0:4001:c03::22e]) by mx1.freebsd.org (Postfix) with ESMTP id 0FA32D10 for ; Sun, 19 May 2013 07:36:52 +0000 (UTC) Received: by mail-ie0-f174.google.com with SMTP id 10so11992524ied.33 for ; Sun, 19 May 2013 00:36:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=lBq/B98bHlSyNnLcHaaVV8I7//omYlc2ahAA9h5+6vE=; b=QDKKg6BeDLC+8r5Xm8jy8fJx7CGIjwLCrTuDnoPE2SqxEPmFVcjO8VMUpMqlpl2VQN feZCxkMWtbaAvEeuPrwUFHVMTK9pQp1u1iSuVXBCjBLUd0+FTf4UaqsFee3I48OIzDiQ /aJmb5mD65k9NEqKwbMTZoWWxlCtnJSiO4oUhQAa3BByBdw7GjjgQUf+qQ5PLQv+ANAv 1mFrjLMwqj+E15UdKUfjJjxus1wavEnp1otjeJsxMLEvAVEo/vCWVNBPwBpbIFhfXmpr 0IPURmJF2uEz2OTTuQDbFfYGxdM9sBgUaPzf72o3uP9emzUeBbKJH3dsxGXEy7+NheEu 7aJQ== MIME-Version: 1.0 X-Received: by 10.42.78.136 with SMTP id n8mr6157238ick.52.1368949011751; Sun, 19 May 2013 00:36:51 -0700 (PDT) Received: by 10.64.77.51 with HTTP; Sun, 19 May 2013 00:36:51 -0700 (PDT) Received: by 10.64.77.51 with HTTP; Sun, 19 May 2013 00:36:51 -0700 (PDT) In-Reply-To: References: Date: Sun, 19 May 2013 08:36:51 +0100 Message-ID: Subject: Re: Why does Samba requires 777 permissions on /tmp From: Chris Rees To: sindrome Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: FreeBSD Mailing List X-BeenThere: freebsd-ports@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Porting software to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 May 2013 07:36:52 -0000 On 19 May 2013 00:34, "sindrome" wrote: > > I just found myself troubleshooting an issue where my desktop machine > couldn't login to my local samba server unless I have the /tmp directory > permissions set to 777. I'd like to have it 775 not only for security > reasons but also because portupgrade always barks when the tmp directory it > set that way. Is there something that can be tweaked in smb.conf so that I > can authenticate without that? > > This was in the logs which led me to the root of the problem. > [2013/05/18 13:31:01, 0] smbd/service.c:191(set_current_service) chdir > (/tmp) failed > > Once I changed it back to 777 the machine trust was working again. > > It seems that I could set the TMPDIR environmental variable to another > directory but that's the very same variable that portupgrade uses so it > would still have the same issue. > > These are the warnings that portupgrade gives if I keep the permissions > that way. > > /usr/local/lib/ruby/site_ruby/1.8/pkgtools/pkgtools.rb:483: warning: > Insecure world writable dir /tmp in PATH, mode 040777 > /usr/local/lib/ruby/site_ruby/1.8/pkgtools/pkgtools.rb:1170: warning: > Insecure world writable dir /tmp in PATH, mode 040777 > /usr/local/lib/ruby/site_ruby/1.8/pkgtools/pkgmisc.rb:108: warning: > Insecure world writable dir /tmp in PATH, mode 040777 > > Any thoughts on how I can make Samba not require 777 on /tmp? It is quite honestly an awful idea to have /tmp in your PATH. Remove it, and the complaints will stop. Consider an attacker dropping a load of executables into /tmp, perhaps called "portupgrad". You tab-complete as root, and run that instead.... Chris