On Tue, Dec 18, 2012 at 05:26:49PM -0500, Simon Deziel wrote:
> I am wondering why some of the profile abstractions are not using the
> owner prefix with the variable @{HOME} while many others do (and some
> mix both)?Funny, Steve's recent patch set made me wonder the same thing. (If only by shining a light clearly on the differences again.) In some cases, 'owner' couldn't work -- e.g., Apache's mod_userdir. I'm sure there are others. Different sites have different security goals and our provided profiles are intended to help the people who want to be safer than running without AppArmor, but don't want to put in effort to use it. This does mean missing some opportunities for further tightening profiles. If we add 'owner' to every desktop-oriented program where it makes sense, some of our users will be upset that they cannot share files amongst the users -- shared documents, shared music, shared photos, etc., are common among families (and historical acedemic Unix deployments have tended to be everything shared by default, and specific things like ~/.netrc, mail spools, browser cookie stores, etc., kept private). If we don't add 'owner' to the rules, a virus or worm is more likely to be able to spread outside of one user account to infect other user accounts, either by actively writing to other user's data, or by allowing a program to read another user's infected data. (Think of a corrupt user-installed font, corrupted PDF, etc.) I could see using 'owner' everywhere, using 'owner' only to keep some data separate (~/.ssh, ~/.gnupg, etc.), or not using 'owner' at all. I think I fall down on the "keep private data private" version. It feels like the best balance for the most number of users who won't themselves edit profiles. It also requires a decision at every use... Thanks
signature.asc
Description: Digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
