Robert Rottscholl reported that when creating a new file via X File Explorer (xfe) on a Samba or NFS share, the user's mask was used for the permissions instead of that specified by the Samba or NFS configuration (such as Samba's "create mask" configuration option). This could give users access to files they would otherwise be unable to access. Patches are available from the original report: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739536 From brief testing on Fedora with Samba and the "create mask" option, this only presented when running xfe as the root user. The intended mask was used when running xfe as an unprivileged user.
Created xfe tracking bugs for this issue: Affects: fedora-all [bug 1069067]
CVE request: http://www.openwall.com/lists/oss-security/2014/02/24/2
??? So this just means that root can freely change umask and create files with such umask on samba?
So this seems to be just saying: * Program A explicitly tries to set umask as user requested for file manipulation. Filesystem may partially reject it and may set more restricted umask, but that is just as such filesystem does so and Program A just accepts that. Program A then just continue to do following file manipulation. In my opinion this is valid behavior for Program A. The issue written on this bug is just the "opinion" or "policy" of you and something other than "security issue" IMO.
Perhaps I won't change this unless the upstream changes, even if CVE is assigned.
(In reply to Mamoru TASAKA from comment #5) > Perhaps I won't change this unless the upstream changes, even if CVE is > assigned. Thanks for looking at this. I trust your opinion and analysis so I do not mind if you do not fix the bug.
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.