[apparmor] [Merge] lp:~sdeziel/apparmor-profiles/ssh-scp-profiles into lp:apparmor-profiles
Simon Déziel
simon.deziel at gmail.com
Wed Dec 30 22:36:33 UTC 2015
On 12/30/2015 04:50 PM, Christian Boltz wrote:
> Oh nice, this was overlooked for more than a year :-/
Thanks for reviewing/commenting, that's a nice Christmas gift :)
> The profiles mostly look good when reading (!= testing) them.
I've been using and improving [*] them since the merge proposal. I'll
refresh the merge proposal shortly.
> Some small notes:
>
> In the scp profile, you have "/bin/cp PUx,". It's very unlikely that
> someone has a profile for it, so ffectively we get Ux. I'd prefer ix
> or Cx and a small child profile (assuming cp isn't too hard to
> profile - I never tried ;-)
No problem, done.
> In the ssh profile, you have "/usr/lib/openssh/gnome-ssh-askpass
> mix,". Please also allow /usr/lib/ssh/ssh-askpass which seems to be
> openSUSE's binary name.
Thanks for the suggestion.
> For the ControlPath, I'm afraid you'll need a more permissive
> wildcard to avoid breaking cutom ControlPath settings. For example,
> I'm using ~/.ssh/ssh_control_HOSTNAME_PORT_USERNAME. Maybe something
> like ~/.ssh/*[0-9][0-9]* would work for everybody, while not opening
> up too many unrelated files because of the [0-9][0-9] (two digits)
> part which should be matched by the port.
I would like to avoid giving such wide access. For example, a two digits
rule would match the private key: id_ed25519. While this specific case
is covered by an audit deny rule, I fear the ramifications of such change.
How about having rules allowing the following ControlPath:
~/.ssh/*control*[0-9][0-9]*
~/.ssh/control/**
The ~/.ssh/control subdirectory is because I get tired of tripping on
control sockets when using tab completions inside ~/.ssh :)
> Finally, please use "mr" instead of "rm". Technically it's the same,
> but a) we use "mr" everywhere and b) "rm" might confuse users not too
> familiar with the permission syntax ;-)
No problem Mr. ;)
Thank you very much for the review.
Regards,
Simon
*:
https://github.com/simondeziel/aa-profiles/tree/master/14.04/usr.bin.{ssh,scp}
--
https://code.launchpad.net/~sdeziel/apparmor-profiles/ssh-scp-profiles/+merge/234310
Your team AppArmor Developers is requested to review the proposed merge of lp:~sdeziel/apparmor-profiles/ssh-scp-profiles into lp:apparmor-profiles.
More information about the AppArmor
mailing list