Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 19 May 2013 08:36:51 +0100
From:      Chris Rees <utisoft@gmail.com>
To:        sindrome <sindrome@gmail.com>
Cc:        FreeBSD Mailing List <freebsd-ports@freebsd.org>
Subject:   Re: Why does Samba requires 777 permissions on /tmp
Message-ID:  <CADLo83-pFi8E-Wdoyju7YxBmOR67Qr4OWmZA-2x8_Um1F2bwoQ@mail.gmail.com>
In-Reply-To: <CAFzAeSdgRotc34%2BeyfVHZBA-QGUCWJ1MZDYw1ysRxEV9MhG2BQ@mail.gmail.com>
References:  <CAFzAeSdgRotc34%2BeyfVHZBA-QGUCWJ1MZDYw1ysRxEV9MhG2BQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 19 May 2013 00:34, "sindrome" <sindrome@gmail.com> wrote:
>
> I just found myself troubleshooting an issue where my desktop machine
> couldn't login to my local samba server unless I have the /tmp directory
> permissions set to 777.  I'd like to have it 775 not only for security
> reasons but also because portupgrade always barks when the tmp directory
it
> set that way.  Is there something that can be tweaked in smb.conf so that
I
> can authenticate without that?
>
> This was in the logs which led me to the root of the problem.
> [2013/05/18 13:31:01,  0] smbd/service.c:191(set_current_service) chdir
> (/tmp) failed
>
> Once I changed it back to 777 the machine trust was working again.
>
> It seems that I could set the TMPDIR environmental variable to another
> directory but that's the very same variable that portupgrade uses so it
> would still have the same issue.
>
> These are the warnings that portupgrade gives if I keep the permissions
> that way.
>
> /usr/local/lib/ruby/site_ruby/1.8/pkgtools/pkgtools.rb:483: warning:
> Insecure world writable dir /tmp in PATH, mode 040777
> /usr/local/lib/ruby/site_ruby/1.8/pkgtools/pkgtools.rb:1170: warning:
> Insecure world writable dir /tmp in PATH, mode 040777
> /usr/local/lib/ruby/site_ruby/1.8/pkgtools/pkgmisc.rb:108: warning:
> Insecure world writable dir /tmp in PATH, mode 040777
>
> Any thoughts on how I can make Samba not require 777 on /tmp?

It is quite honestly an awful idea to have /tmp in your PATH.  Remove it,
and the complaints will stop.

Consider an attacker dropping a load of executables into /tmp, perhaps
called "portupgrad".  You tab-complete as root, and run that instead....

Chris

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CADLo83-pFi8E-Wdoyju7YxBmOR67Qr4OWmZA-2x8_Um1F2bwoQ>