The reply from openSUSE bugzilla request to do a security review was closed as WONTFIX with the following explanation:-
Due to CVE-2017-8422 and CVE-2017-8849 it was decided to remove
smb4k from Factory. Operating with root privileges (such as
smb4k helper is doing) in user owned directories can never be secure.
Thats why it wont be approved.
Is there anything which can be done to change the way SMB4K works in order to satisfy the openSUSE requirement?
Stuart
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I wonder what is meant by 'user owned directories'. If they mean all directories under /home, a fix would be to hard code the mount prefix to e.g. '/mnt/smb4k_<USER>'. I'm currently not sure if that directory would have to have the UID set to the user's one, but maybe it should. If the openSUSE dev mean any user owned directory, we are in a pickle, because the directory under /mnt would then, again, be owned by a user ...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Do you have the link to that bug report? Searching openSUSEs Bugzilla did not give me a hit. I would like to read the whole report to be able to decide what could be done.
Alexander
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
After having read the report and also the other one stated there, I have the impression that a security audit is needed to have Smb4K reenter. I guess, the maintainer has to trigger this, and he has done so, as far as I can see, in both bug reports. Maybe we need to wait ...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Yes things have moved on a little since my original post. A fixed version of SMB4K is available but not yet in the standard repos, it's is waiting for the audit to be considered.
Stuart
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
In one of the mentioned bug reports I saw that the maintainer uploaded a new version of 2.0.0 - if I remember correctly - with the mount helper disabled. That basically means he removed the main feature. :( I hope they will include Smb4K 2.0.1 with all features enabled and not that crippled version...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
FYI, in case others are missing this info as I was:
if you upgraded from an earlier version of OpenSuSE to Leap 42.3, you probably still have smb4k installed. However, it is an outdated version that will hang indefinitely when trying to mount a share, rendering the program completely useless.
You can, at your own risk, install a more recent version from the KDE:Extra repository here: http://download.opensuse.org/repositories/KDE:/Extra/openSUSE_Leap_42.3/
The problem with the empty domain browse list is still there (probably a samba issue), but at least you can mount shares again (use bookmarks for convenience).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The reply from openSUSE bugzilla request to do a security review was closed as WONTFIX with the following explanation:-
Due to CVE-2017-8422 and CVE-2017-8849 it was decided to remove
smb4k from Factory. Operating with root privileges (such as
smb4k helper is doing) in user owned directories can never be secure.
Thats why it wont be approved.
Is there anything which can be done to change the way SMB4K works in order to satisfy the openSUSE requirement?
Stuart
I wonder what is meant by 'user owned directories'. If they mean all directories under /home, a fix would be to hard code the mount prefix to e.g. '/mnt/smb4k_<USER>'. I'm currently not sure if that directory would have to have the UID set to the user's one, but maybe it should. If the openSUSE dev mean any user owned directory, we are in a pickle, because the directory under /mnt would then, again, be owned by a user ...
Do you have the link to that bug report? Searching openSUSEs Bugzilla did not give me a hit. I would like to read the whole report to be able to decide what could be done.
Alexander
The wontfix bug is https://bugzilla.suse.com/show_bug.cgi?id=1041511
Stuart
After having read the report and also the other one stated there, I have the impression that a security audit is needed to have Smb4K reenter. I guess, the maintainer has to trigger this, and he has done so, as far as I can see, in both bug reports. Maybe we need to wait ...
Yes things have moved on a little since my original post. A fixed version of SMB4K is available but not yet in the standard repos, it's is waiting for the audit to be considered.
Stuart
In one of the mentioned bug reports I saw that the maintainer uploaded a new version of 2.0.0 - if I remember correctly - with the mount helper disabled. That basically means he removed the main feature. :( I hope they will include Smb4K 2.0.1 with all features enabled and not that crippled version...
The test version I am using is 2.0.1 with the mount helper, works on Leap 42.2 but not on Tumbleweed because of the messaging context bug.
Stuart
FYI, in case others are missing this info as I was:
if you upgraded from an earlier version of OpenSuSE to Leap 42.3, you probably still have smb4k installed. However, it is an outdated version that will hang indefinitely when trying to mount a share, rendering the program completely useless.
You can, at your own risk, install a more recent version from the KDE:Extra repository here:
http://download.opensuse.org/repositories/KDE:/Extra/openSUSE_Leap_42.3/
The problem with the empty domain browse list is still there (probably a samba issue), but at least you can mount shares again (use bookmarks for convenience).
sorry, I was on the wrong thread here...
Moved my post to "Problem with SMB4k and Samba on openSUSE Leap"
Last edit: J.M. 2018-02-07