[apparmor] [patch] smbd profile needs capability sys_admin
Steve Beattie
steve at nxnw.org
Wed Apr 13 18:23:09 UTC 2016
On Sun, Mar 20, 2016 at 07:20:11PM +0100, Christian Boltz wrote:
> smbd stores ACLS in the security.NTACL namespace, which means it needs
> capability sys_admin.
>
> References: https://bugzilla.opensuse.org/show_bug.cgi?id=964971
> http://samba-technical.samba.narkive.com/eHtOW8DE/nt-acls-using-the-security-namespace-for-ntacl-considered-improper
>
> I propose this patch for trunk, 2.10 and 2.9.
>
> [ profiles-smbd-cap-sys_admin.diff ]
>
> === modified file 'profiles/apparmor.d/usr.sbin.smbd'
> --- profiles/apparmor.d/usr.sbin.smbd 2015-02-28 20:35:18 +0000
> +++ profiles/apparmor.d/usr.sbin.smbd 2016-02-11 17:51:14 +0000
> @@ -17,6 +17,7 @@
> capability net_bind_service,
> capability setgid,
> capability setuid,
> + capability sys_admin, # needed to store ACLS in the security.NTACL namespace
> capability sys_resource,
> capability sys_tty_config,
I really dislike this. The sys_admin capability grants much too
powerful stuff (e.g. the ability to load kernel modules, which can do
whatever damage to in-kernel apparmor data structures they'd like),
so essentially an unrestricted root level privilege.
It also doesn't look like samba upstream made visible progress on
their plan for an LSM to handle these.
However, I see that Simon's merge proposal also wants this. I'm
guessing the ntacl stuff is getting more widespread usage. So we may
have to accept this.
--
Steve Beattie
<sbeattie at ubuntu.com>
http://NxNW.org/~steve/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160413/2bca1827/attachment.pgp>
More information about the AppArmor
mailing list