On Wed, Nov 02, 2016 at 10:08:50PM +0200, Robert Munteanu wrote: > I am trying to secure my wordpress installation using apparmor. The > basic permissions are nothing special, until we get to email delivery. > > Wordpress by default always wants to use the php mail() function, > which in turn always wants to use a binary. So I can't fix this by > enabling email delivery via SMTP. > > So I ended up adding the following to my profile: > > /bin/bash ixr, > /usr/sbin/sendmail Uxr, > > That strikes me as being a pretty wide net, so I'm curious if there's > something that I can do better.
Hello Robert, There's several options, depending upon your goals: - You can add a system-wide profile for /usr/sbin/sendmail - You can add a child profile for /usr/sbin/sendmail to your php/wordpress profile Both approaches have merits; the system-wide profile for sendmail may involve more work to ensure that all applications on the system that send mail are correctly profiled. But likewise, sendmail would be confined when called via other mechanisms, not just via the wordpress application. Also, depending upon what program is supplying your /usr/sbin/sendmail, you may also need to confine a great many other executables in order to have meaningful confinement. For example, the apparmor-profiles package supplies several profiles (possibly too ancient to be useful starting points) for different sendmails: These profiles are also at: http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/files/head:/profiles/apparmor/profiles/extras/ - There's a usr.sbin.sendmail that is prepared to handle both postfix _and_ sendmail - There's a usr.sbin.sendmail.sendmail that works with sendmail - There's a usr.sbin.sendmail.postfix that works with postfix - There's also profiles for postalias, postdrop, postmap, postqueue, and a dozen other postfix binaries. Unless someone speaks up to say they've kept the 'extras' profile updated for their MTA of choice, they are probably old enough at this point that they can be ignored. If you want to add a child profile for sendmail, it'd look something like this: Change /usr/sbin/sendmail Uxr, to /usr/sbin/sendmail Cxr -> sendmail, profile sendmail { #include <abstraction/base> /usr/sbin/sendmail ixr, # .. more rules here .. } If you want to add a new system-wide profile for sendmail, it'd look something like this: /usr/sbin/sendmail Pxr, Then you need to generate a new sendmail profile. You could either use the tools, and run aa-genprof /usr/sbin/sendmail, and follow the prompts, or you could write it by hand. When you write the profile, be sure to test some common things very early: - stopping the daemon - starting the daemon - restarting the daemon - local mail delivery (if your sendmail does this) - remote mail delivery (if your sendmail does this) I hope this helps, feel free to ask here or #apparmor on irc.oftc.net (there's often someone around) in case I was'nt clear on something. Thanks
signature.asc
Description: PGP signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
