Why does Samba requires 777 permissions on /tmp

[Bob Eager]

On Sat, 18 May 2013 18:34:47 -0500
sindrome <sindrome at gmail.com> wrote:

> I just found myself troubleshooting an issue where my desktop machine
> couldn't login to my local samba server unless I have the /tmp
> directory permissions set to 777.  I'd like to have it 775 not only
> for security reasons but also because portupgrade always barks when
> the tmp directory it set that way.  Is there something that can be
> tweaked in smb.conf so that I can authenticate without that?
> 
> This was in the logs which led me to the root of the problem.
> [2013/05/18 13:31:01,  0] smbd/service.c:191(set_current_service)
> chdir (/tmp) failed
> 
> Once I changed it back to 777 the machine trust was working again.
> 
> It seems that I could set the TMPDIR environmental variable to another
> directory but that's the very same variable that portupgrade uses so
> it would still have the same issue.
> 
> These are the warnings that portupgrade gives if I keep the
> permissions that way.
> 
> /usr/local/lib/ruby/site_ruby/1.8/pkgtools/pkgtools.rb:483: warning:
> Insecure world writable dir /tmp in PATH, mode 040777
> /usr/local/lib/ruby/site_ruby/1.8/pkgtools/pkgtools.rb:1170: warning:
> Insecure world writable dir /tmp in PATH, mode 040777
> /usr/local/lib/ruby/site_ruby/1.8/pkgtools/pkgmisc.rb:108: warning:
> Insecure world writable dir /tmp in PATH, mode 040777
> 
> Any thoughts on how I can make Samba not require 777 on /tmp?

The correct mode for /tmp is probably 1777 anyway. That allows anyone
to create files there, but only they can manipulate them. See sticky(7).

The implication of the error messages from portupgrade is that /tmp is
in your PATH, which is pretty unusual. Check your .profile,
login, .cshrc etc. and remove /tmp from any path settings. This is
indeed a security risk!

Do that, portupgrade will stop complaining, and the correct 1777 (or
777) setting will keep samba happy.