[Bug 447292] Re: AppArmor does not allow access when @{HOME} is not /home

Mon Oct 12 15:06:24 UTC 2009

** Description changed:

- Binary package hint: evince
+ For profiles that reference @{HOME}, AppArmor will deny access to files
+ in @{HOME} if the user's home directory is not in /home.
  
- I've installed karmic yesterday, and upgraded
- [0]> lsb_release -rd
- Description:    Ubuntu karmic (development branch)
- Release:        9.10
+ For example, if the user's home directory is /exports/home, then profiles such as cups, evince, and firefox will disallow access to anything in /exports/home. Since apparmor uses realpath(), using a symlink from /home/foo -> /exports/home/foo does not work. This is part of the design of the system and requires that the sysadmin adjust /etc/apparmor.d/tunables/home. In the above example, the sysadmin should change:
+ @{HOMEDIRS}=/home/
  
- [0]> apt-cache policy evince     
- evince:
-   Installed: 2.28.0-0ubuntu2
-   Candidate: 2.28.0-0ubuntu2
-   Version table:
-  *** 2.28.0-0ubuntu2 0
-         500 http://de.archive.ubuntu.com karmic/main Packages
-         100 /var/lib/dpkg/status
- 
- When I'm trying to start evince, the following happens (everything is
- done as user danielt):
- 
- [0]> evince
- 
- (evince:9325): EvinceDocument-WARNING **: Failed to create directory /home/danielt/.gnome2/evince: Permission denied
- zsh: exit 1     evince
- 
- [0]> grep /home/danielt/.gnome2/evince evince.strace
- 9327  access("/home/danielt/.gnome2/evince", F_OK) = -1 ENOENT (No such file or directory)
- 9327  mkdir("/home/danielt/.gnome2/evince", 0700) = -1 EACCES (Permission denied)
- 9327  write(2, "\n(evince:9327): EvinceDocument-WARNING **: Failed to create directory /home/danielt/.gnome2/evince: Permission denied\n", 118) = 118
- 
- This is odd:
- 
- [0]> id
- uid=1000(danielt) gid=1000(danielt) groups=4(adm),20(dialout),24(cdrom),46(plugdev),107(lpadmin),115(admin),122(sambashare),1000(danielt)
- [0]> /bin/pwd          
- /export/home/danielt
- [0]> ls -ld /. /export/. /export/home/. /export/home/danielt/. /export/home/danielt/.gnome2/. /home
- drwxr-xr-x 20 root    root    4096 Oct  8 15:48 /.
- drwxr-xr-x  6 root    root    4096 Oct  8 15:06 /export/.
- drwxr-xr-x  3 root    root    4096 Oct  8 15:14 /export/home/.
- drwx--x--x 57 danielt danielt 4096 Oct  9 17:02 /export/home/danielt/.
- drwx------  7 danielt danielt 4096 Oct  9 16:46 /export/home/danielt/.gnome2/.
- lrwxrwxrwx  1 root    root      13 Oct  8 15:34 /home -> /export/home/
- 
- So, where is the permission denied coming from?
- [0]> mkdir /home/danielt/.gnome2/evince; echo $?
- 0
+ to be:
+ @{HOMEDIRS}=/home/ /exports/home/

-- 
AppArmor does not allow access when @{HOME} is not /home
https://bugs.launchpad.net/bugs/447292
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs