[apparmor] [Bug 619521] Re: pam_apparmor fails to hunt through the hats
Ubuntu QA's Bug Bot
bug-stats at murraytwins.com
Mon Sep 19 21:26:39 UTC 2011
** Tags added: testcase
--
You received this bug notification because you are a member of AppArmor
Developers, which is the registrant for AppArmor.
https://bugs.launchpad.net/bugs/619521
Title:
pam_apparmor fails to hunt through the hats
Status in AppArmor Linux application security framework:
Fix Released
Status in AppArmor 2.5 series:
Fix Released
Status in “apparmor” package in Ubuntu:
Fix Released
Status in “apparmor” source package in Lucid:
Fix Released
Bug description:
SRU Justification
1. impact of the bug is medium for stable releases and very much
limits the utility of pam_apparmor, but the fix is non-intrusive. It
is included here as part of the 2.5.1 update for Lucid (LP: #660077)
2. This has been fixed in natty.
3. Patch simply adjusts changehat/pam_apparmor/pam_apparmor.c to try
the next hat on ENOENT rather than failing.
4. TEST CASE: run the AppArmorPAM tests in lp:qa-regression-
testing/scripts/test-apparmor.py. Several tests fail with the version
in Lucid and all are fixed in the 2.5.1 upload.
5. The regression potential is very low for this patch as it only adds
a single ENOENT check, libpam-apparmor is in universe and it is not
widely used yet. Getting this fixed would be an important step in
getting pam-apparmor more widely used since LTS users are more likely
to require the extra security features provided by libpam-apparmor.
Binary package hint: apparmor
I have pam_apparmor set up for sshd as follows.
session optional pam_apparmor.so order=user,group,default debug
It never searches group or default. It thinks it finds a hat the user
whether a hat exists for the user or not.
In complain mode, the debug messages are:
Aug 17 16:21:03 zeno sshd[22113]: pam_apparmor(sshd:session): Using username 'gray'
Aug 17 16:21:03 zeno sshd[22113]: pam_apparmor(sshd:session): Successfully changed to hat 'gray'
Note, there is not a hat 'gray' defined. If I put it in enforce mode:
Aug 17 17:02:36 zeno sshd[3955]: pam_apparmor(sshd:session): Using username 'gray'
Aug 17 17:02:36 zeno sshd[3955]: pam_apparmor(sshd:session): Unknown error occurred changing to gray hat: No such file or directory
Maybe we're doing something wrong, but I think its broken.
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: libpam-apparmor 2.5-0ubuntu3
ProcVersionSignature: Ubuntu 2.6.32-21.32-generic-pae 2.6.32.11+drm33.2
Uname: Linux 2.6.32-21-generic-pae i686
Architecture: i386
Date: Tue Aug 17 18:30:58 2010
InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release i386 (20100427)
ProcEnviron:
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: apparmor
To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/619521/+subscriptions
More information about the AppArmor
mailing list