[apparmor] [Bug 619521] Re: pam_apparmor fails to hunt through the hats

Ubuntu QA's Bug Bot bug-stats at murraytwins.com
Mon Sep 19 21:26:39 UTC 2011 

** Tags added: testcase

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/619521

Title:
  pam_apparmor fails to hunt through the hats

Status in AppArmor Linux application security framework:
  Fix Released
Status in AppArmor 2.5 series:
  Fix Released
Status in “apparmor” package in Ubuntu:
  Fix Released
Status in “apparmor” source package in Lucid:
  Fix Released

Bug description:
  SRU Justification

  1. impact of the bug is medium for stable releases and very much
  limits the utility of pam_apparmor, but the fix is non-intrusive. It
  is included here as part of the 2.5.1 update for Lucid (LP: #660077)

  2. This has been fixed in natty.

  3. Patch simply adjusts changehat/pam_apparmor/pam_apparmor.c to try
  the next hat on ENOENT rather than failing.

  4. TEST CASE: run the AppArmorPAM tests in lp:qa-regression-
  testing/scripts/test-apparmor.py. Several tests fail with the version
  in Lucid and all are fixed in the 2.5.1 upload.

  5. The regression potential is very low for this patch as it only adds
  a single ENOENT check, libpam-apparmor is in universe and it is not
  widely used yet. Getting this fixed would be an important step in
  getting pam-apparmor more widely used since LTS users are more likely
  to require the extra security features provided by libpam-apparmor.

  Binary package hint: apparmor

  I have pam_apparmor set up for sshd as follows.

  session     optional    pam_apparmor.so order=user,group,default debug

  It never searches group or default.  It thinks it finds a hat the user
  whether a hat exists for the user or not.

  In complain mode, the debug messages are:

  Aug 17 16:21:03 zeno sshd[22113]: pam_apparmor(sshd:session): Using username 'gray'
  Aug 17 16:21:03 zeno sshd[22113]: pam_apparmor(sshd:session): Successfully changed to hat 'gray'

  Note, there is not a hat 'gray' defined.  If I put it in enforce mode:

  Aug 17 17:02:36 zeno sshd[3955]: pam_apparmor(sshd:session): Using username 'gray'
  Aug 17 17:02:36 zeno sshd[3955]: pam_apparmor(sshd:session): Unknown error occurred changing to gray hat: No such file or directory

  Maybe we're doing something wrong, but I think its broken.

  ProblemType: Bug
  DistroRelease: Ubuntu 10.04
  Package: libpam-apparmor 2.5-0ubuntu3
  ProcVersionSignature: Ubuntu 2.6.32-21.32-generic-pae 2.6.32.11+drm33.2
  Uname: Linux 2.6.32-21-generic-pae i686
  Architecture: i386
  Date: Tue Aug 17 18:30:58 2010
  InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release i386 (20100427)
  ProcEnviron:
   LANG=en_US.UTF-8
   SHELL=/bin/bash
  SourcePackage: apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/619521/+subscriptions

More information about the AppArmor mailing list