[apparmor] [PATCH] Adjust notify group name

Seth Arnold seth.arnold at gmail.com
Wed Apr 25 18:36:39 UTC 2012


The only reason why this group check is here is so that a user could read the aa log messages without having read access to the full logs.

Perhaps "adm" was a poor choice; "aalogs" would have been better named.

If you want to just rely on filesystem perms it might be easier to remove all the special handling.
-----Original Message-----
From: Kees Cook <kees at ubuntu.com>
Sender: apparmor-bounces at lists.ubuntu.com
Date: Wed, 25 Apr 2012 11:30:16 
To: Jamie Strandboge<jamie at canonical.com>
Cc: <apparmor at lists.ubuntu.com>
Subject: Re: [apparmor] [PATCH] Adjust notify group name

Hi Jamie,

On Wed, Apr 25, 2012 at 07:13:46AM -0500, Jamie Strandboge wrote:
> On Tue, 2012-04-24 at 16:58 -0700, Kees Cook wrote:
> > The group for reading /var/log/kern.log is "adm", not "admin".
> > 
> > Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660078
> > 
> > Index: apparmor-debian/utils/notify.conf
> > ===================================================================
> > --- apparmor-debian.orig/utils/notify.conf	2010-11-03 17:03:52.000000000 -0700
> > +++ apparmor-debian/utils/notify.conf	2012-04-24 11:54:27.997521983 -0700
> > @@ -12,4 +12,4 @@
> >  show_notifications="yes"
> >  
> >  # Only people in use_group can use aa-notify
> > -use_group="admin"
> > +use_group="adm"
> 
> This group's intended use is not for DAC filesystem access but instead
> to limit who is allowed to run the utility. From the man page which
> describes /etc/apparmor/notify.conf:
> # only people in use_group can use aa-notify
> use_group="admin"
> 
> Also, this can be overridden via /etc/apparmor/notify.conf, so I'm not
> sure why it needs to be changed in the script itself. Was there a
> particular problem that this patch is trying to address?

Right, I'm patching notify.conf here. The details are in the Debian bug,
but basically, checking for "admin" isn't sane since it tries to read
the log files that are only readable by "adm". Therefore, switch the
check to what is actually needed.

-Kees

-- 
Kees Cook

-- 
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor


More information about the AppArmor mailing list