[apparmor] [PATCH] Adjust notify group name

Kees Cook kees at ubuntu.com
Wed Apr 25 19:11:21 UTC 2012 

But aa-notify runs as the user and read the log files directly... what
am I misunderstanding?

-Kees

On Wed, Apr 25, 2012 at 06:36:39PM +0000, Seth Arnold wrote:
> The only reason why this group check is here is so that a user could read the aa log messages without having read access to the full logs.
> 
> Perhaps "adm" was a poor choice; "aalogs" would have been better named.
> 
> If you want to just rely on filesystem perms it might be easier to remove all the special handling.
> -----Original Message-----
> From: Kees Cook <kees at ubuntu.com>
> Sender: apparmor-bounces at lists.ubuntu.com
> Date: Wed, 25 Apr 2012 11:30:16 
> To: Jamie Strandboge<jamie at canonical.com>
> Cc: <apparmor at lists.ubuntu.com>
> Subject: Re: [apparmor] [PATCH] Adjust notify group name
> 
> Hi Jamie,
> 
> On Wed, Apr 25, 2012 at 07:13:46AM -0500, Jamie Strandboge wrote:
> > On Tue, 2012-04-24 at 16:58 -0700, Kees Cook wrote:
> > > The group for reading /var/log/kern.log is "adm", not "admin".
> > > 
> > > Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=660078
> > > 
> > > Index: apparmor-debian/utils/notify.conf
> > > ===================================================================
> > > --- apparmor-debian.orig/utils/notify.conf	2010-11-03 17:03:52.000000000 -0700
> > > +++ apparmor-debian/utils/notify.conf	2012-04-24 11:54:27.997521983 -0700
> > > @@ -12,4 +12,4 @@
> > >  show_notifications="yes"
> > >  
> > >  # Only people in use_group can use aa-notify
> > > -use_group="admin"
> > > +use_group="adm"
> > 
> > This group's intended use is not for DAC filesystem access but instead
> > to limit who is allowed to run the utility. From the man page which
> > describes /etc/apparmor/notify.conf:
> > # only people in use_group can use aa-notify
> > use_group="admin"
> > 
> > Also, this can be overridden via /etc/apparmor/notify.conf, so I'm not
> > sure why it needs to be changed in the script itself. Was there a
> > particular problem that this patch is trying to address?
> 
> Right, I'm patching notify.conf here. The details are in the Debian bug,
> but basically, checking for "admin" isn't sane since it tries to read
> the log files that are only readable by "adm". Therefore, switch the
> check to what is actually needed.
> 
> -Kees
> 
> -- 
> Kees Cook
> 
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
> -- 
> AppArmor mailing list
> AppArmor at lists.ubuntu.com
> Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
-- 
Kees Cook

More information about the AppArmor mailing list