[apparmor] [patch] traceroute profile (apparmor-profiles-traceroute)

Steve Beattie steve at nxnw.org
Thu Aug 25 19:23:44 UTC 2011 

On Tue, Aug 23, 2011 at 02:18:52AM +0200, Christian Boltz wrote:
> Am Dienstag, 23. August 2011 schrieb Steve Beattie:
> > Also, on Debian/Ubuntu, traceroute is covered by the alternatives,
> > and ends up pointing to /usr/bin/traceroute.db; thus I'd like to
> > add:
> 
> Is traceroute.db really in /usr/bin and not in /usr/sbin?
> 
> That doesn't sound like making much sense - either traceroute itsself 
> should also be in /usr/bin (to make it "official" available for users) 
> or traceroute.db should be in /usr/sbin (to "flag" it admin-only, and 
> yes, I know that an user can call it by using the full path).
> 
> Having one in /usr/bin and the other in /usr/sbin is confusing.

While I agree that it's mildly confusing, on Ubuntu systems, the
default path for users includes the sbin variants, so both are
visible to regular users. Looking through the debian bug history,
in particular http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=107150
and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=557672 I suspect
the reason the alternative target is in /usr/sbin is because the nanog
version of traceroute was only usable by root; it's still confusing
because the nanog-emulating wrapper script that the traceroute package
provides also lives in /usr/bin.

Regardless, it strikes me as unlikely to change.

> > === modified file 'profiles/apparmor.d/usr.sbin.traceroute'
> > --- profiles/apparmor.d/usr.sbin.traceroute	2010-08-05 19:00:02 
> > +++ profiles/apparmor.d/usr.sbin.traceroute	2011-08-22 23:54:53 
> > @@ -10,7 +10,7 @@
> >  # ------------------------------------------------------------------
> > 
> >  #include <tunables/global>
> > -/usr/sbin/traceroute {
> > +/usr/{sbin/traceroute,bin/traceroute.db} {
> >    #include <abstractions/base>
> >    #include <abstractions/consoles>
> >    #include <abstractions/nameservice>
> 
> You'll have to commit that yourself ;-)

Okay. Thanks for the feedback.

-- 
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20110825/0c6b4964/attachment.pgp>

More information about the AppArmor mailing list