[apparmor] [PATCH] Adjust notify group name

Jamie Strandboge jamie at canonical.com
Wed Apr 25 12:13:46 UTC 2012


On Tue, 2012-04-24 at 16:58 -0700, Kees Cook wrote:
> The group for reading /var/log/kern.log is "adm", not "admin".
> 
> Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660078
> 
> Index: apparmor-debian/utils/notify.conf
> ===================================================================
> --- apparmor-debian.orig/utils/notify.conf	2010-11-03 17:03:52.000000000 -0700
> +++ apparmor-debian/utils/notify.conf	2012-04-24 11:54:27.997521983 -0700
> @@ -12,4 +12,4 @@
>  show_notifications="yes"
>  
>  # Only people in use_group can use aa-notify
> -use_group="admin"
> +use_group="adm"

This group's intended use is not for DAC filesystem access but instead
to limit who is allowed to run the utility. From the man page which
describes /etc/apparmor/notify.conf:
# only people in use_group can use aa-notify
use_group="admin"

Also, this can be overridden via /etc/apparmor/notify.conf, so I'm not
sure why it needs to be changed in the script itself. Was there a
particular problem that this patch is trying to address?

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120425/28a83f17/attachment.pgp>


More information about the AppArmor mailing list