The source project of this merge request has been removed.
smbd: allow reading under /usr/share/samba
Today, a normal user connected and did something (dunno what) that caused smbd to try to /usr/share/samba/mdssvc/elasticsearch_mappings.json
:
Samba logs:
root@smb:~# journalctl -b0 -u smbd
-- Logs begin at Fri 2022-01-21 14:17:01 UTC, end at Thu 2022-02-17 23:56:02 UTC. --
Feb 17 14:01:20 smb systemd[1]: Starting Samba SMB Daemon...
Feb 17 14:01:26 smb smbd[113]: [2022/02/17 14:01:26.904865, 0] ../../lib/util/become_daemon.c:135(daemon_ready)
Feb 17 14:01:26 smb systemd[1]: Started Samba SMB Daemon.
Feb 17 14:01:26 smb smbd[113]: daemon_ready: daemon 'smbd' finished starting up and ready to serve connections
Feb 17 21:05:35 smb smbd[3084]: pam_unix(samba:session): session opened for user jdoe by (uid=0)
Feb 17 21:05:37 smb smbd[3084]: [2022/02/17 21:05:37.735182, 0] ../../source3/rpc_server/mdssvc/mdssvc_es.c:92(mdssvc_es_init)
Feb 17 21:05:37 smb smbd[3084]: mdssvc_es_init: Opening mapping file [/usr/share/samba/mdssvc/elasticsearch_mappings.json] failed: unable to open /usr/share/samba/mdssvc/elasticsearch_mappings.json: Permission denied
Feb 17 21:05:37 smb smbd[3084]: [2022/02/17 21:05:37.735436, 0] ../../source3/rpc_server/mdssvc/mdssvc.c:1490(mdssvc_init)
Feb 17 21:05:37 smb smbd[3084]: mdssvc_init: backend init failed
Feb 17 21:05:37 smb smbd[3084]: [2022/02/17 21:05:37.735562, 0] ../../source3/rpc_server/mdssvc/srv_mdssvc_nt.c:152(_mdssvc_open)
Feb 17 21:05:37 smb smbd[3084]: _mdssvc_open: Couldn't create policy handle for partage
Feb 17 23:56:02 smb smbd[3084]: pam_unix(samba:session): session closed for user jdoe
Since the 'smb' machine is a container, the Apparmor denial ended up in the host's log:
$ journalctl -o cat --grep samba -k --since today | cat
audit: type=1400 audit(1645131937.730:98): apparmor="DENIED" operation="open" namespace="root//lxd-smb_<var-snap-lxd-common-lxd>" profile="smbd" name="/usr/share/samba/mdssvc/elasticsearch_mappings.json" pid=35359 comm="smbd" requested_mask="r" denied_mask="r" fsuid=166549 ouid=165536
It is the first time it occurs in years of use but it seems legitimate as:
- this file is installed by the package
-
git grep -F elasticsearch_mappings
in Debian samba's source shows many hits:
$ git grep -F elasticsearch_mappings
debian/samba.install:usr/share/samba/mdssvc/elasticsearch_mappings.json
docs-xml/manpages/mdsearch.1.xml: <filename>/usr/share/samba/mdssvc/elasticsearch_mappings.json</filename>
docs-xml/smbdotconf/misc/elasticsearchmappings.xml: <value type="default">&pathconfig.SAMBA_DATADIR;/elasticsearch_mappings.json</value>
docs/manpages/mdfind.1:/usr/share/samba/mdssvc/elasticsearch_mappings\&.json
docs/manpages/smb.conf.5:\fI\fIelasticsearch:mappings\fR\fR\fI = \fR\fI${prefix}/var/samba/elasticsearch_mappings\&.json\fR\fI \fR
selftest/selftest.pl: elasticsearch:mappings = $srcdir_abs/source3/rpc_server/mdssvc/elasticsearch_mappings.json
selftest/target/Samba3.pm: elasticsearch:mappings = $srcdir_abs/source3/rpc_server/mdssvc/elasticsearch_mappings.json
source3/rpc_server/mdssvc/es_parser_test.c: "%s/mdssvc/elasticsearch_mappings.json",
source3/rpc_server/mdssvc/mdssvc_es.c: "%s/mdssvc/elasticsearch_mappings.json",
source3/rpc_server/wscript_build: 'mdssvc/elasticsearch_mappings.json')
While only the mdssvc
sub-dir could be authorized, the whole dir content seemed OK for read access anyway:
root@smb:~# ll /usr/share/samba/
total 53
drwxr-xr-x 5 root root 10 Feb 1 14:08 ./
drwxr-xr-x 67 root root 67 Jun 22 2021 ../
-rwxr-xr-x 1 root root 1163 Jan 31 13:11 addshare.py*
drwxr-xr-x 3 root root 4 Feb 1 14:08 admx/
drwxr-xr-x 2 root root 3 Feb 1 14:08 mdssvc/
-rwxr-xr-x 1 root root 2059 Jan 31 13:11 panic-action*
-rwxr-xr-x 1 root root 1333 Jan 31 13:11 setoption.py*
drwxr-xr-x 5 root root 57 Feb 1 14:08 setup/
-rw-r--r-- 1 root root 8942 Jan 31 13:11 smb.conf
-rwxr-xr-x 1 root root 2682 Jan 31 13:11 update-apparmor-samba-profile*