Bug 5987 - smbd refuses connection when abiding to pam_mktemp
smbd refuses connection when abiding to pam_mktemp
Status: NEW
Product: Samba 3.0
Classification: Unclassified
Component: File Services
Other Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
Depends on:
  Show dependency treegraph
Reported: 2008-12-21 20:01 UTC by Diego Pettenò
Modified: 2008-12-23 11:03 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Diego Pettenò 2008-12-21 20:01:46 UTC
In Gentoo there's optional support for using pam_mktemp[1] to restrict access to the per-user temporary files; this module sets TMPDIR to a private /tmp/.private/$USER directory which is not accessible by other users.

Unfortunately this seems to clash with samba since after setting it up it does not respond to connections any longer, and instead logs this:

Dec 21 23:37:03 [smbd] [2008/12/21 23:37:03, 0] smbd/service.c:set_current_service(184)_
Dec 21 23:37:03 [smbd] chdir (/tmp/.private/nobody) failed_

I'm not sure where to start to debug, but if somebody can at least give me some pointers I can try to do my best to arrive at a solution.

[1] http://www.openwall.com/pam/
Comment 1 Diego Pettenò 2008-12-23 11:03:46 UTC
Seems like looking a bit further into this the problem is that the PAM session chain is not fully executed (and the environment set) when the user is switched during authentication.

Without this, TMPDIR still refers to nobody's user rather than the current logged-in user, which will fail since the private temporary directories are not accessible by other users (this is where the mitigation enters the game).