[apparmor] [patch] split off apache permissions to abstractions/apache2-common
John Johansen
john.johansen at canonical.com
Mon Jan 2 23:43:43 UTC 2012
On 12/21/2011 04:17 PM, Christian Boltz wrote:
> Hello,
>
> the attached patch splits off various permissions from the httpd2-
> prefork profile to abstractions/apache2-common. Additionally, it adds
> read permissions for /**/.htaccess and /dev/urandom to apache2-common.
>
> The patch is based on a profile abstraction from darix. I made some
> things more strict (compared to darix' profile), and OTOH added some
> things that are needed on my servers.
>
> For reference: Darix sent me a file abstractons/apache-vhost-base (note
> the different name, I merged into apache2-common).
> Original abstractions/apache-vhost-base from darix:
>
> network,
>
> @{PROC}/**/attr/current rw,
>
> # htaccess files - for what ever it is worth
> /**.htaccess r,
>
> # error pages
> /usr/share/apache2/** r,
>
>
> BTW: Darix' profile has @{PROC}/**/attr/current rw, however my
> experience is I only need @{PROC}/*/attr/current w (no r).
> I never needed @{PROC}/*/task/*/attr/current.
> - Does apache really need write access to both variants? (I doubt.)
> - What's the difference between both variants?
>
> Note: My version of abstractions/apache2-common does not allow to read
> /.htaccess (I changed /**.htaccess -> /**/.htaccess) which slightly
> reduces permissions for ^HANDLING_UNTRUSTED_INPUT. However I doubt
> someone has a .htaccess in / ;-)
>
> The other changes I did do not remove permissions from the profile in
> bzr because those permissions didn't exist there - they exist only in
> the profile and abstractions from darix.
>
> I'm also nominating this patch for the 2.7 branch (maybe except
> disallowing /.htaccess for ^HANDLING_UNTRUSTED_INPUT if you are afraid
> it breaks some setups)
>
>
> Regards,
>
> Christian Boltz
>
Steve what are your thoughts on this?
More information about the AppArmor
mailing list