[apparmor] [PATCH] Adjust notify group name

Jamie Strandboge jamie at canonical.com
Wed Apr 25 18:52:00 UTC 2012 

On Wed, 2012-04-25 at 11:30 -0700, Kees Cook wrote:
> Hi Jamie,
> 
> On Wed, Apr 25, 2012 at 07:13:46AM -0500, Jamie Strandboge wrote:
> > On Tue, 2012-04-24 at 16:58 -0700, Kees Cook wrote:
> > > The group for reading /var/log/kern.log is "adm", not "admin".
> > > 
> > > Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660078
> > > 
> > > Index: apparmor-debian/utils/notify.conf
> > > ===================================================================
> > > --- apparmor-debian.orig/utils/notify.conf	2010-11-03 17:03:52.000000000 -0700
> > > +++ apparmor-debian/utils/notify.conf	2012-04-24 11:54:27.997521983 -0700
> > > @@ -12,4 +12,4 @@
> > >  show_notifications="yes"
> > >  
> > >  # Only people in use_group can use aa-notify
> > > -use_group="admin"
> > > +use_group="adm"
> > 
> > This group's intended use is not for DAC filesystem access but instead
> > to limit who is allowed to run the utility. From the man page which
> > describes /etc/apparmor/notify.conf:
> > # only people in use_group can use aa-notify
> > use_group="admin"
> > 
> > Also, this can be overridden via /etc/apparmor/notify.conf, so I'm not
> > sure why it needs to be changed in the script itself. Was there a
> > particular problem that this patch is trying to address?
> 
> Right, I'm patching notify.conf here.
Oh, duh :)

> The details are in the Debian bug,
> but basically, checking for "admin" isn't sane since it tries to read
> the log files that are only readable by "adm". Therefore, switch the
> check to what is actually needed.

I didn't explain myself enough before, this is more than just
accessing /var/log/kern.log because as the reporter said, we can always
use DAC for that and remove the check. This code is more about who we
want to access whatever log as the apparmor messages,
specifically /var/log/audit/audit.log which does not have group read
permissions. Initially I chose not to use adm because I figured that the
sets of people who were in 'adm' as opposed to 'admin' where not the
same. In Ubuntu, this has traditionally not mattered because the default
'admin' user is also 'adm'.

Debian now has the 'sudoers' group and Ubuntu users could be in either
'admin' or 'sudoers' depending on if it is a new install or upgrade, so
I guess 'admin' doesn't really make sense in Ubuntu any more either.
Perhaps it is best to just use 'adm' and let sysadmin's adjust as
necessary.

-- 
Jamie Strandboge             | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20120425/548d194c/attachment.pgp>

More information about the AppArmor mailing list