Why does Samba requires 777 permissions on /tmp

Simon Wright simon.wright at gmx.net
Mon May 20 21:58:29 UTC 2013 

On 20/05/2013 15:38, Bob Eager wrote:
> On Mon, 20 May 2013 08:03:09 -0500
> sindrome <sindrome at gmail.com> wrote:
>
> What I think is happening is that portupgrade is building and running
> shell scripts in /tmp. It's running them with (in ruby):
>
>    system('/tmp/script')             [roughly]
>
> The ruby runtime is checking the *path-to-the-command* and THAT is what
> it's complaining about.
>
> Try setting PKG_TMPDIR (in pkgtools.conf) to some suitable non world
> writable temporary directory.
>
> I have an older ports tree on this machine or I'd try it myself. I had
> to download the latest sources to check all this,

Trying to summarise what I've tested here with the results.

My PKG_TMPDIR and TMPDIR are set to /var/tmp:

pkgtools.conf:

   ENV['TMPDIR'] ||= '/var/tmp'
   ENV['PKG_TMPDIR'] ||= '/var/tmp'
   ENV['PORTSDIR'] ||= '/usr/ports'
   ENV['PACKAGES'] ||= ENV['PORTSDIR'] + '/packages'

from /usr/local/etc/sudoers:
# Uncomment if needed to preserve environmental variables related to the
# FreeBSD pkg_* utilities and fetch.
Defaults        env_keep += "PKG_PATH PKG_DBDIR PKG_TMPDIR TMPDIR 
PACKAGEROOT PACKAGESITE PKGDIR FTP_PASSIVE_MODE"

[simon at vmserver04 ~]$ ls -ld /var/tmp
drwxrwxr-t  9 root  wheel  33280 May 20 23:02 /var/tmp/

Note: /var/tmp is not world writeable

[simon at vmserver04 ~]$ echo $PATH
/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin:/usr/local/scripts:

root at vmserver04:/root # echo $PATH
/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin

I run portupgrade via sudo but both $PATH's show no /tmp or .

[simon at vmserver04 ~]$ ruby -v
ruby 1.8.7 (2012-10-12 patchlevel 371) [amd64-freebsd9]

portupgrade-2.4.10.5_1,2 FreeBSD ports/packages administration and 
management tool s

Other (not likely) relevant stuff:
- I have /usr/ports mounted rw with NFS
- I have the packages directory mounted rw with NFS and amd then 
redefine $PACKAGES to point to the mount point
This has been working for several years with no issues

[simon at vmserver04 ~]$ sudo portupgrade -v portupgrade*
--->  Reading default options: -v -D -l 
/var/tmp/portupgrade.results_20130520-22:56:25 -L 
/var/tmp/portupgrade/%s::%s.log
--->  Session started at: Mon, 20 May 2013 22:56:26 +0200
** None has been installed or upgraded.
--->  Saving the results to 
'/var/tmp/portupgrade.results_20130520-22:56:25'
/usr/local/lib/ruby/site_ruby/1.8/pkgtools/pkgtools.rb:483: warning: 
Insecure world writable dir /tmp/ in PATH, mode 041777

Still the complaint about /tmp/

[simon at vmserver04 ~]$ sudo chmod 1775 /tmp

[simon at vmserver04 ~]$ ls -ld /tmp
drwxrwxr-t  9 root  wheel  1024 May 20 23:16 /tmp/

[simon at vmserver04 ~]$ sudo portupgrade -v portupgrade*
--->  Reading default options: -v -D -l 
/var/tmp/portupgrade.results_20130520-23:16:07 -L 
/var/tmp/portupgrade/%s::%s.log
--->  Session started at: Mon, 20 May 2013 23:16:07 +0200
** None has been installed or upgraded.
--->  Saving the results to '/var/tmp
/portupgrade.results_20130520-23:16:07'
--->  Session ended at: Mon, 20 May 2013 23:16:08 +0200 (consumed 
00:00:00)

No more complaint.

I can't read the portupgrade code well enough to see what it's doing 
with the script, but if Bob is right that Ruby is running the 
portupgrade commands from /tmp then the error is within the checks 
in Ruby which is saying the 777 permission on /tmp is not 
acceptable, 775 *is* acceptable. Which is strange since surely then 
everyone with 777 permissions on /tmp would be seeing this message? 
Does this get us any further?

Thanks for all the input, it is appreciated.

Cheers

Simon.

More information about the freebsd-ports mailing list