[apparmor] aa-logprof doesn't check if user is root

Christian Boltz apparmor at cboltz.de
Wed Jan 15 20:44:56 UTC 2014


Am Mittwoch, 15. Januar 2014 schrieb Aaron Lewis:
> aa-logprof doesn't check if user is root
> Can someone add the verification please? just like aa-status and
> others

Well, not always ;-)

aa-logprof doesn't always need root permissions (well, except for 
reloading the profiles). You can easily run it as user when using -f 
/my/logfile -d /path/to/profiles/ (assuming the user has access to both 
/my/logfile and /path/to/profiles/). 

I know this isn't the typical usecase, but still something that should 
be possible. (However, maybe we should think about having the root check 
enabled by default, and add an option --no-profile-reload that also 
skips the root check.)

That said - feel free to test the rewritten tools available at 


Christian Boltz
Weißt Du, man soll ja eigentlich keine Leute auf öffentlichen
Mailinglisten beschimpfen, sie kratzen oder ihnen Tiernamen geben.
Aber die traumwandlerische Sicherheit, mit der Du den relevanten Teil
des Logs weggeschnitten hast, ist schon beeindruckend.
Also, Du Hängebauchschwein, fühl Dich beschimpft und gekratzt ;-)
[Stefan Förster in postfixbuch-users]

More information about the AppArmor mailing list