Robert Rottscholl reported that when creating a new file via X File Explorer (xfe) on a Samba or NFS share, the user's mask was used for the permissions instead of that specified by the Samba or NFS configuration (such as Samba's "create mask" configuration option). This could give users access to files they would otherwise be unable to access.
Patches are available from the original report:
From brief testing on Fedora with Samba and the "create mask" option, this only presented when running xfe as the root user. The intended mask was used when running xfe as an unprivileged user.
Created xfe tracking bugs for this issue:
Affects: fedora-all [bug 1069067]
CVE request: http://www.openwall.com/lists/oss-security/2014/02/24/2
So this just means that root can freely change umask and create files with such umask on samba?
So this seems to be just saying:
* Program A explicitly tries to set umask as user requested for file
manipulation. Filesystem may partially reject it and may set more restricted
umask, but that is just as such filesystem does so and Program A just
accepts that. Program A then just continue to do following file manipulation.
In my opinion this is valid behavior for Program A. The issue written on
this bug is just the "opinion" or "policy" of you and something other
than "security issue" IMO.
Perhaps I won't change this unless the upstream changes, even if CVE is assigned.
(In reply to Mamoru TASAKA from comment #5)
> Perhaps I won't change this unless the upstream changes, even if CVE is
Thanks for looking at this. I trust your opinion and analysis so I do not mind if you do not fix the bug.