[apparmor] [PATCH] Adjust notify group name
Kees Cook
kees at ubuntu.com
Wed Apr 25 18:30:16 UTC 2012
Hi Jamie,
On Wed, Apr 25, 2012 at 07:13:46AM -0500, Jamie Strandboge wrote:
> On Tue, 2012-04-24 at 16:58 -0700, Kees Cook wrote:
> > The group for reading /var/log/kern.log is "adm", not "admin".
> >
> > Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660078
> >
> > Index: apparmor-debian/utils/notify.conf
> > ===================================================================
> > --- apparmor-debian.orig/utils/notify.conf 2010-11-03 17:03:52.000000000 -0700
> > +++ apparmor-debian/utils/notify.conf 2012-04-24 11:54:27.997521983 -0700
> > @@ -12,4 +12,4 @@
> > show_notifications="yes"
> >
> > # Only people in use_group can use aa-notify
> > -use_group="admin"
> > +use_group="adm"
>
> This group's intended use is not for DAC filesystem access but instead
> to limit who is allowed to run the utility. From the man page which
> describes /etc/apparmor/notify.conf:
> # only people in use_group can use aa-notify
> use_group="admin"
>
> Also, this can be overridden via /etc/apparmor/notify.conf, so I'm not
> sure why it needs to be changed in the script itself. Was there a
> particular problem that this patch is trying to address?
Right, I'm patching notify.conf here. The details are in the Debian bug,
but basically, checking for "admin" isn't sane since it tries to read
the log files that are only readable by "adm". Therefore, switch the
check to what is actually needed.
-Kees
--
Kees Cook
More information about the AppArmor
mailing list