net-fs/samba: Make smbspool_krb5_wrapper accessible to root only

For CUPS to exec an plugin as root, group and others must not have privs.

Closes: https://bugs.gentoo.org/880739
Signed-off-by: Joakim Tjernlund <Joakim.Tjernlund@infinera.com>
Closes: https://github.com/gentoo/gentoo/pull/28307
Signed-off-by: Sam James <sam@gentoo.org>

2 files changed, 4 insertions, 0 deletions

diff --git a/net-fs/samba/samba-4.15.12-r1.ebuild b/net-fs/samba/samba-4.15.12-r2.ebuild
index 9d2737f68680..2b804ec1862d 100644
--- a/net-fs/samba/samba-4.15.12-r1.ebuild
+++ b/net-fs/samba/samba-4.15.12-r2.ebuild
@@ -266,6 +266,8 @@ multilib_src_install() {
 
 	# Make all .so files executable
 	find "${ED}" -type f -name "*.so" -exec chmod +x {} + || die
+	# smbspool_krb5_wrapper must only be accessible to root, bug #880739
+	find "${ED}" -type f -name "smbspool_krb5_wrapper" -exec chmod go-rwx {} + || die
 
 	if multilib_is_native_abi ; then
 		# install ldap schema for server (bug #491002)
diff --git a/net-fs/samba/samba-4.16.7-r1.ebuild b/net-fs/samba/samba-4.16.7-r2.ebuild
index 36cf60e8eed0..81857fb18f5b 100644
--- a/net-fs/samba/samba-4.16.7-r1.ebuild
+++ b/net-fs/samba/samba-4.16.7-r2.ebuild
@@ -307,6 +307,8 @@ multilib_src_install() {
 
 	# Make all .so files executable
 	find "${ED}" -type f -name "*.so" -exec chmod +x {} + || die
+	# smbspool_krb5_wrapper must only be accessible to root, bug #880739
+	find "${ED}" -type f -name "smbspool_krb5_wrapper" -exec chmod go-rwx {} + || die
 
 	if multilib_is_native_abi ; then
 		# Install ldap schema for server (bug #491002)