smbspool_krb5_wrapper is installed with -rwxr-xr-x but man page says: It needs to be owned by root and the permissions for the binary need to be 0700. This is because cupsd will not run the wrapper as root otherwise.
Also, cups/backend/smp points to smb -> ../../../bin/smbspool but in order to use Kerberos to authenticate one self this symlink needs to point to sambas smbspool_krb5_wrapper: smb -> ../../samba/smbspool_krb5_wrapper
Suggested change: --- samba-4.15.12.ebuild~ 2022-11-16 04:10:36.000000000 +0100 +++ samba-4.15.12.ebuild 2022-11-16 11:49:43.570804454 +0100 @@ -265,6 +265,8 @@ # Make all .so files executable find "${ED}" -type f -name "*.so" -exec chmod +x {} + || die + # smbspool_krb5_wrapper must only be accessible to root + find "${ED}" -type f -name "smbspool_krb5_wrapper" -exec chmod go-rwx {} + || die if multilib_is_native_abi ; then # install ldap schema for server (bug #491002) @@ -275,8 +277,8 @@ # create symlink for cups (bug #552310) if use cups ; then - dosym ../../../bin/smbspool \ - /usr/libexec/cups/backend/smb + dosym ../../samba/smbspool_krb5_wrapper \ + /usr/libexec/cups/backend/smb || die "symlink for smbspool_krb5_wrapper" fi # install example config file
I made a PR for the first hunk at: https://github.com/gentoo/gentoo/pull/28307
Ping ? I keep forgetting to manually change privs on smbspool_krb5_wrapper after emerging samba
(In reply to Joakim Tjernlund from comment #4) > Ping ? > > I keep forgetting to manually change privs on smbspool_krb5_wrapper after > emerging samba Could you rebase it?
(In reply to Sam James from comment #5) > (In reply to Joakim Tjernlund from comment #4) > > Ping ? > > > > I keep forgetting to manually change privs on smbspool_krb5_wrapper after > > emerging samba > > Could you rebase it? yes, done.
thanks, on it
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=72b1e774c4f1559b276f6441b1288b6bb0d9c3a0 commit 72b1e774c4f1559b276f6441b1288b6bb0d9c3a0 Author: Joakim Tjernlund <Joakim.Tjernlund@infinera.com> AuthorDate: 2022-11-17 09:04:25 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-11-24 09:50:24 +0000 net-fs/samba: Make smbspool_krb5_wrapper accessible to root only For CUPS to exec an plugin as root, group and others must not have privs. Closes: https://bugs.gentoo.org/880739 Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com> Closes: https://github.com/gentoo/gentoo/pull/28307 Signed-off-by: Sam James <sam@gentoo.org> net-fs/samba/{samba-4.15.12-r1.ebuild => samba-4.15.12-r2.ebuild} | 2 ++ net-fs/samba/{samba-4.16.7-r1.ebuild => samba-4.16.7-r2.ebuild} | 2 ++ 2 files changed, 4 insertions(+)
It is 100% done, there is this part too: - dosym ../../../bin/smbspool \ - /usr/libexec/cups/backend/smb + dosym ../../samba/smbspool_krb5_wrapper \ + /usr/libexec/cups/backend/smb || die "symlink for smbspool_krb5_wrapper" which some may think is too much but if you are OK with that I can make another PR with that change too.
(In reply to Joakim Tjernlund from comment #9) > It is 100% done, there is this part too: > - dosym ../../../bin/smbspool \ > - /usr/libexec/cups/backend/smb > + dosym ../../samba/smbspool_krb5_wrapper \ > + /usr/libexec/cups/backend/smb || die "symlink for > smbspool_krb5_wrapper" > > which some may think is too much but if you are OK with that I can > make another PR with that change too. I'm not sure if I understand the need/motivation. Can you open another bug & PR and we can discuss it there? Thanks!
