[apparmor] [PATCH] Adjust notify group name
Jamie Strandboge
jamie at canonical.com
Wed Apr 25 12:13:46 UTC 2012
On Tue, 2012-04-24 at 16:58 -0700, Kees Cook wrote:
> The group for reading /var/log/kern.log is "adm", not "admin".
>
> Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660078
>
> Index: apparmor-debian/utils/notify.conf
> ===================================================================
> --- apparmor-debian.orig/utils/notify.conf 2010-11-03 17:03:52.000000000 -0700
> +++ apparmor-debian/utils/notify.conf 2012-04-24 11:54:27.997521983 -0700
> @@ -12,4 +12,4 @@
> show_notifications="yes"
>
> # Only people in use_group can use aa-notify
> -use_group="admin"
> +use_group="adm"
This group's intended use is not for DAC filesystem access but instead
to limit who is allowed to run the utility. From the man page which
describes /etc/apparmor/notify.conf:
# only people in use_group can use aa-notify
use_group="admin"
Also, this can be overridden via /etc/apparmor/notify.conf, so I'm not
sure why it needs to be changed in the script itself. Was there a
particular problem that this patch is trying to address?
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120425/28a83f17/attachment.pgp>
More information about the AppArmor
mailing list