[Bug 692406] [NEW] aa-logprog forces network connection

Launchpad Bug Tracker 692406 at bugs.launchpad.net
Tue Dec 21 20:20:25 UTC 2010


You have been subscribed to a public bug:

Binary package hint: apparmor

SUMMARY
=======
This report describes unexpected functionality in aa-logprof:
	C] Seems not to prompt ever for the suggestion list of changes <<ie. [(A)llow] / (D)eny / (N)ew / (G)lob / Glob w/(E)xt / Abo(r)t / (F)inish >>
	A] Seems to require a username and password
	B] Echos Password entry in clear text
	C] Seems to require a network connection
	D] Seems to attempt to contact a website of OPENSUSE, not Canonical
	E] Seems not to be able to gracefully exit.
	F] Seems to totally freeze the I/O environment within 15-30 minutes

ENVIRONMENT
===========
Maverick, Asus EeePc 1000, system updated 12/14/2010
/usr/sbin/aa-logprof, a perl script, undated, copyright 2005, Novell, 1928bytes, "last modified" Nov09,2010 14:06EST

DETAIL
======
1) included a profile for firefox.
2) used firefox a bit, and generated some apparmor notices. (in the log file, and with the cute gnome screen indicator)
3) invoked sudo aa-logprof
Instead of getting prompts asking me what I wanted to do in response to changes aa-logprof found, it gave me a message that it was scanning the logs (so far so good > sfsg). It then TOLD me it was updating the profiles, no questions asked (I was expecting a suggestion list, per the man pages and the pdf manual)! It then asked me if I wanted to create a new user (huh? I don't see this in the manuals. Could it be trying to upload my modified profile to a server, similar to apparmor.opensuse.org mentioned in the suse version of the manual? WAIT! That's not all folks - - - Regardless of how I answer the question, it forces me through questions for username and password (and the password is echoed in plain-text!). Of course, I have no user account for whatever it is trying to log me into. It then asks me if I want to save the configuration, to which I respond NO, and it reports: Login failure,  Please check username and password and try again. RPC::XML::Client::send_request: HTTP server error: Can't connect to apparmor.test.opensuse.org:80 (Bad hostname 'apparmor.test.opensuse.org') [la dee dah, I'm not even connected to a network when performing this exercise]. It then endlessly cycles through the sequence:
	1a) Do you want to create a new user (N)
	1b) username
	1c) password
	1d) save configuration (N)
If instead I respond:
	2a) Do you want to create a new user (YES, THIS TIME)
	1b) username
	1c) password
	1d) e-mail
	1e) save configuration (N)
then I get Login Error RPC::XML::Client::send_request: HTTP server error: Can't connect to apparmor.test.opensuse.org:80 (Bad hostname 'apparmor.test.opensuse.org'), and it still endlessly cycles through the sequence.

Now let's try this:
	3a) Do you want to create a new user (NO, THIS TIME)
	3b) username
	3c) password
	3d) save configuration (YES, THIS TIME)
Login failure, Please check username and password and try again. RPC::XML::Client::send_request: HTTP server error: Can't connect to apparmor.test.opensuse.org:80 (Bad hostname 'apparmor.test.opensuse.org')

Now let's try this:
	4a) Do you want to create a new user (YES, THIS TIME)
	4b) username
	4c) password
	4d) e-mail
	4e) save configuration (YES, THIS TIME)
Login Error, RPC::XML::Client::send_request: HTTP server error: Can't connect to apparmor.test.opensuse.org:80 (Bad hostname 'apparmor.test.opensuse.org')

Oh, and it never did really save any modifications to my configuration,
anyway.


until I kill it.

NO! WE'RE NOT DONE YET! If instead of responding to the prompt, I leave
the terminal window alone to, say, read the apparmor man pages and pdf
manual, and document the issue using gedit, within a half hour the
entire system freezes. no greyed out windows or anything, just frozen.
no i/o whatsoever. cycle the power, just like bsod.

Now let's try it while connected to the internet:
	5a) Do you want to create a new user (NO, THIS TIME)
	5b) username
	5c) password
	5d) save configuration (NO, THIS TIME)
Login failure  Please check username and password and try again. RPC::XML::Client::send_request: HTTP server error: Not Found


This next might be a separate bug or nothing at all y'all want to characterize as a bug
Let me know whether and how you would like me to report it
=====================
apparmor abstractions 
=====================
SUMMARY: The Canonical additions seem to have duplicate and conflicting invocations. The implementation uses many layers of "abstractions" and include files that unnecessarily confuse.

DETAIL: I thought it prudent to include here some things I noticed and
thought unusual about the abstractions that Canonical setup for firefox,
since they are part of the apparnor environment and they might plausibly
have some bearing on the problems that are the subject of this report.
This is not an exhaustive review of the profile files.

the definition file for firefox
1) includes abstractions for base, fonts, fredesktop.org and user.
2) it then includes an abstraction for gnome, which itself includes those same abstractions over again.

the abstraction file for gnome
1) includes abstraction for fonts
2) it then gives rights explicitly for fonts, already covered in the fonts abstraction file (ie /etc/fonts)

the definition file for firefox includes abstractions/ubuntu-browsers.d/..
1) text-editors, which seems to want to allow webpages to launch texteditors!?! (the justification seems to be that there is a mozilla addon "It's all text - https://addons.mozilla.org/en-US/firefox/addon/4125"
2) user-files, which is very, very permissive, after being very restrictive in usr.bin.firefox - quite a conflicting and misleading signal.
3) mailto - this will serve the purpose of allowing firefox (or whatever other apparmor defintion) to directly invoke any e-mail client.
4] multimedia - includes permission for UNCONSTRAINED execution by gimp and eog - why? For that matter, the abstraction "ubuntu-media-players" also contains a few dozen programs given unconstrained execution privilege. Quoting the user manual - "Use ux only in very special cases. It enables the designated child processes to be run without any AppArmor protection... ...Any profile using this mode provides negligible security. Use at your own risk."
5] java - this includes abstractions for base, fonts, gnome, nameservice that have already been included directly.

ProblemType: Bug
DistroRelease: Ubuntu 10.10
Package: apparmor 2.5.1-0ubuntu0.10.10.2
ProcVersionSignature: Ubuntu 2.6.35-23.41-generic 2.6.35.7
Uname: Linux 2.6.35-23-generic i686
Architecture: i386
Date: Sun Dec 19 21:39:41 2010
InstallationMedia: Ubuntu 10.10 "Maverick Meerkat" - Release i386 (20101007)
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcKernelCmdline: BOOT_IMAGE=/boot/vmlinuz-2.6.35-23-generic root=UUID=1b4239cc-4ac9-4c0c-a790-245965ea828b ro quiet splash
SourcePackage: apparmor

** Affects: firefox (Ubuntu)
     Importance: Undecided
     Assignee: Jamie Strandboge (jdstrand)
         Status: Triaged


** Tags: apport-bug i386 maverick
-- 
aa-logprog forces network connection
https://bugs.launchpad.net/bugs/692406
You received this bug notification because you are a member of Mozilla Bugs, which is subscribed to firefox in ubuntu.




More information about the Ubuntu-mozillateam-bugs mailing list