[apparmor] [PATCH] Adjust notify group name
jamie at canonical.com
Wed Apr 25 18:52:00 UTC 2012
On Wed, 2012-04-25 at 11:30 -0700, Kees Cook wrote:
> Hi Jamie,
> On Wed, Apr 25, 2012 at 07:13:46AM -0500, Jamie Strandboge wrote:
> > On Tue, 2012-04-24 at 16:58 -0700, Kees Cook wrote:
> > > The group for reading /var/log/kern.log is "adm", not "admin".
> > >
> > > Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660078
> > >
> > > Index: apparmor-debian/utils/notify.conf
> > > ===================================================================
> > > --- apparmor-debian.orig/utils/notify.conf 2010-11-03 17:03:52.000000000 -0700
> > > +++ apparmor-debian/utils/notify.conf 2012-04-24 11:54:27.997521983 -0700
> > > @@ -12,4 +12,4 @@
> > > show_notifications="yes"
> > >
> > > # Only people in use_group can use aa-notify
> > > -use_group="admin"
> > > +use_group="adm"
> > This group's intended use is not for DAC filesystem access but instead
> > to limit who is allowed to run the utility. From the man page which
> > describes /etc/apparmor/notify.conf:
> > # only people in use_group can use aa-notify
> > use_group="admin"
> > Also, this can be overridden via /etc/apparmor/notify.conf, so I'm not
> > sure why it needs to be changed in the script itself. Was there a
> > particular problem that this patch is trying to address?
> Right, I'm patching notify.conf here.
Oh, duh :)
> The details are in the Debian bug,
> but basically, checking for "admin" isn't sane since it tries to read
> the log files that are only readable by "adm". Therefore, switch the
> check to what is actually needed.
I didn't explain myself enough before, this is more than just
accessing /var/log/kern.log because as the reporter said, we can always
use DAC for that and remove the check. This code is more about who we
want to access whatever log as the apparmor messages,
specifically /var/log/audit/audit.log which does not have group read
permissions. Initially I chose not to use adm because I figured that the
sets of people who were in 'adm' as opposed to 'admin' where not the
same. In Ubuntu, this has traditionally not mattered because the default
'admin' user is also 'adm'.
Debian now has the 'sudoers' group and Ubuntu users could be in either
'admin' or 'sudoers' depending on if it is a new install or upgrade, so
I guess 'admin' doesn't really make sense in Ubuntu any more either.
Perhaps it is best to just use 'adm' and let sysadmin's adjust as
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 836 bytes
Desc: This is a digitally signed message part
More information about the AppArmor