Thanks for taking the time to report this bug and helping to make Ubuntu better. We appreciate the difficulties you are facing, but this appears to be a "regular" (non-security) bug. I have unmarked it as a security issue since this bug does not show evidence of allowing attackers to cross privilege boundaries nor directly cause loss of data/privacy. Please feel free to report any other bugs you may find.
** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1247710 Title: CIFS kernel sockets do not belong to any UID Status in “linux” package in Ubuntu: New Bug description: I have a Kubuntu which uses a customized UFW to do egress filtering. The default policy of the OUTPUT chain is REJECT, which means that NO process is allowed to send packets until I have explicitly allowed it. To allow output packets on a per-user base, I use the "-m owner --uid-owner username" match of iptables. Unfortunately, CIFS mounting kept failing even though I've allowed root to send packets. So I experimented with the UIDs to find out which UID the kernel uses for CIFS. As "--uid-owner" supports user ranges, I was able to determine that the packets do not belong to ANY valid UID: The following rule makes CIFS mounts succeed: -A ufw-before-output -m owner --socket-exists ! --uid-owner 0-4294967294 -o eth0 --dest 192.168.1.1 -p tcp --dport 445 -j ACCEPT The inversion of the UID-owner match in the same rule makes them NOT succeed: -A ufw-before-output -m owner --socket-exists ! --uid-owner 0-4294967294 -o eth0 --dest 192.168.1.1 -p tcp --dport 445 -j ACCEPT Incrementing the maximal UID of the range by 1 to 4294967295 makes iptables complain that the UID is out of range. So the range of ALL UIDs available in the Linux kernel is indeed 0-4294967294, and CIFS mounts only work if we assume the packets to be OUT of that range. So the packets are missing an UID. Distro = Kubuntu 12.10 amd64 Kernel package = linux-image-3.5.0-42-generic Kernel package version = 3.5.0-42.65 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1247710/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
