Multiple issues after recent updates (May 2017)

Dear all,

I have several severe issues after the recent updates. I use Leap 42.2 on an HP Elitebook 8440p with NVidia graphics.

  • Mounting of samba share through smb4k does not work anymore; I have tried to reset smb4k, re-installed smb4k, it finds the samba folders but end in a dead loop when I try to mount them through smb4k. I can access through dolphin, and also mount shares from the console. I went through the firewall settings as well, and even tried to set SUID to mount.cifs. This did not help.

  • Virtualbox crashes the whole system immediately when I try to start a Windows session. This means: No mouse pointer, black screen, no access to console, no ctrl-alt-f1 or the like. I have to hard-shut-down and restart the system.

  • Some issues with graphics system in general: the three icons in each window top right corner are suddenly invisible/disappear.

  • Some general instabilities with KDE GUI - like disappearing bottom panel, etc.

Anyone experienced similar issues? Thanks!

Eriol

I run this on an ASUS with Intel graphics. I dont use VirtualBox and so far no problems with KDE. However yes SMB4K does seem to loop attempting to mount shares. I find the smb protocol works fine in Dolphin. Yes this must be a recent update to 42.2 as SMB4K certainly used to work fine.

Stuart

Yes.
SUSE’s security team found a security hole in SMB4K’s mounthelper, so it had to be removed.
https://bugzilla.opensuse.org/show_bug.cgi?id=1033300In other words, mounting with SMB4K doesn’t work at all currently.

The shortcomings should be fixed in the next SMB4K version, but it will need to go through another security audit first.
We will hopefully have it available in KDE:Extra at least quite soon though.

Any idea how soon the updated SMB4K will appear. I have had confirmation from the author that it is fixed both in V1 and V2 and the code is available. This is a very useful tool for those of us who don’t remember console commands very well! I know I can compile it and have done for TW but I don’t really want to install everything on 42.2 just for that unless really necessary.

Stuart

No. Probably never for 42.2…
As I wrote this will need another security review and that can take time.

And somebody needs to prepare a package first with the security fix added.
I just saw that 2.0.1 has been released already, with that security fix included, so I suppose I’ll just do it this weekend…

I know I can compile it and have done for TW but I don’t really want to install everything on 42.2 just for that unless really necessary.

You can install the previous version, it is still available in the standard repo.
Use YaST’s “Versions” tab for that.

Please correct if i am wrong, but getting the posts concerning smb4k together, this is the current situation:

  • A possible Security breach has been removed, patched Version (currently 1.2.1-3.3.1) has been delivered by Mainupdate-repository

  • So smb4k is currently in the desired state for V1

  • Smb4k V2 could additionally be patched by wolfi323. I had no luck with the current V2 as KF5 destroys my plasma (no window-titlebar any more)

  • The official V1 Version cannot mount shares (most likely in all installations), as the Mounthelper needs to be audited an released updated

  • There is no plan when this will be done and if it will be done for 42.2

  • Currently SMB4k is only useable in unpatched Version 1.2.1-2.43 from Main-repo

If this is correct, is there any usable solution working without SMB4k in Userspace? Especially doing this:
Mount //server/usershare to ~/usershare giving the right credentials?

I tried to find a solution for that without smb4k via command-line but as normal user i cannot use mount (need to be set suid).
After doing this (security?) i still cannot mount while "mount -t cifs …] returns "only root may use Option “–types”. Same for other options like giving the right credential-file via “-o credentials=~/cifs.cred”

In fstab i found no solution to give ~/cif.cred (file not found), or “~/usershare” as destination.

Maybe someone knows an easy solution for it?

Daniel

More or less, yes.

But the security flaw is/was in 2.0.0 too, it is only fixed in the latest 2.0.1.

The patch could of course also be backported to 1.2.x (actually the smb4k developers offer it for 1.2.x too), but I don’t think that makes sense at this point (with 2.0.1 released).

I already prepared a 2.0.1 package (with the mount helper re-added) and will submit it to the KDE:Extra repo later today.
The new security audit is only needed to get it into the standard repos, and that likely will take a while.

I had no luck with the current V2 as KF5 destroys my plasma (no window-titlebar any more)

From what repo?
There is no V2 in any “official” one (yet).

And what does “KF5 destroys my plasma” mean?
The KDE:Frameworks5 repo?
If you use that you also need the newer Qt5 from KDE:Qt5, and need to do a full switch to the repo.

If this is correct, is there any usable solution working without SMB4k in Userspace? Especially doing this:
Mount //server/usershare to ~/usershare giving the right credentials?

I tried to find a solution for that without smb4k via command-line but as normal user i cannot use mount (need to be set suid).
After doing this (security?) i still cannot mount while "mount -t cifs …] returns "only root may use Option “–types”. Same for other options like giving the right credential-file via “-o credentials=~/cifs.cred”

Use sudo to mount it…
Or add a line to /etc/fstab to mount it during boot.

Hello,
For me on a fully updated OpenSuse LEAP 42.3 with LXDE graphical environment, smb4k 2.0.1-106.1 from wolfi323 repo does not work for searching my network for shares or for manually mounting a share.

And which repo do you mean exactly?
home:wolfi323:branches:KDE:Extra ?

That should “work”, and is actually the version that I’m going to submit to KDE:Extra.

Can you be a bit more specific than “does not work”?

Although, Leap 42.3 has not been released yet, it’s still under development. So this may also be a problem elsewhere.

FYI, smb4k 2.0.1 (with the fixed mount helper) is now available in the KDE:Extra repo, for Tumbleweed and Leap 42 (.1, .2, and .3).
http://software.opensuse.org//download.html?project=KDE%3AExtra&package=smb4k

So people who want/need to use it to mount shares can install it from there for now.

It will enter Tumbleweed after a (hopefully) successful new security review, which we requested today, but that may of course take some time.

I just installed this and although I can mount OK from my bookmarks when scanning the workgroup I see the message saying ‘Failed to init messaging context’. This is on Tumbleweed KDE Plasma 5.

Stuart

And where do you see that message?
Does it work fine otherwise?
Does it work with 1.2.3 (which is still in Tumbleweed’s standard repos)?

I probably cannot help you though. Scanning doesn’t work at all here, not even with 1.2.x.
As I don’t use it anyway, I didn’t bother to investigate, but it’s probably related to my particular network or Samba setup somehow.

And I’m not using Tumbleweed, but 42.2.

I don’t get such a message though.

PS: this discussion here seems to be related:
https://sourceforge.net/p/smb4k/discussion/help/thread/f9ec6154/
This suggests that it might be caused by a change (or bug) in Samba (4.6).

Sigh.
Even though the security team mentioned that we can request a new review after we added the fixes, they immediately closed it as WONTFIX now (with the argument that “this can never be secure”):
http://bugzilla.opensuse.org/show_bug.cgi?id=1041511

Sorry, as it looks now, there will never be a working smb4k in the distribution again.

I will raise this issue with the author to see what he says and whether or not there is anything he can do to change the code to operate differently.

As to the issue with the messaging context this has been happening for quite some time on every version of SMB4K that I have been able to try from 1.2 through 2.0.1.

Thanks a lot for your efforts - for keeping us updated and for maintaining a running version of smb4k in KDE:EXTRA.

I must say that taking smb4k out of the distro is really a heavy impact on the distro’s functionality; while there are certainly many users who use different ways to handle samba shares, there are a huge number of users who use smb4k for this purpose, and it has some advantages. I am not a network security expert; however, I really feel disappointed about such a decision at least with regard to the use of opensuse as a desktop OS.

Again, thank you!

Eriol

Well, in this case it is/was not about a network security problem, but mounting a share or anything else requires root privileges (on the local system) and smb4k contains a small helper that is run as root to be able to do the mounting.
And this is considered a security risk, because a local attacker could gain root privileges through it, and this helper is what the security team apparently doesn’t like.

But as mentioned, the found security flaws in the helper should actually be fixed in the latest version.

Again thanks for your efforts wolfi, it is appreciated. As to this decision I have asked the author to comment on this but as yet I’ve not had any response. Should we be able to demonstrate that the security hole has been properly fixed is there any way to appeal their wontfix status?

Stuart

I had installed it from the repo you mention. Workgroup scanning for shares did not work and it displayed the Smb4k icon at the top of the screen as you can see at Screenshot by Lightshot
I uninstalled that version and then installed the new version from the repo KDE:Extra but i face exactly the same issue. Also when trying to mount a share from the “Open Mount Dialog” i have the same issue.

That’s not an icon, but a notification.
And if a notification is displayed in this way, that means that there is no notification applet in the system tray (or it doesn’t work), that’s the fallback way to display notifications.

In any case, rather a Plasma problem than one in the smb4k package.

I uninstalled that version and then installed the new version from the repo KDE:Extra but i face exactly the same issue. Also when trying to mount a share from the “Open Mount Dialog” i have the same issue.

Which “same issue”?

PS: I just had a look, and 42.3 has Samba 4.6 too. So you’re likely having the same problem that broadstairs mentioned, which seems to be caused by some change in Samba.
I cannot help you more with that.

TBH, I don’t think it’s about that particular security hole any more (which they discovered btw, and reported upstream so that it got fixed).
It seems they just don’t like this approach in general.