Bug#928170: chrony: Apparmor profile contains wrong path for samba sntp

2019-05-16 Thread L. van Belle 
Hai Vincent, 

Yes, that is correct. 

/var/lib/samba/ntp_signd/socket rw,

Is sufficient. 

Greetz, 

Louis


> -Oorspronkelijk bericht-
> Van: Vincent Blut [mailto:vincent.deb...@free.fr] 
> Verzonden: dinsdag 14 mei 2019 15:54
> Aan: Louis van Belle; 928...@bugs.debian.org
> CC: Debian Bug Tracking System
> Onderwerp: Re: Bug#928170: chrony: Apparmor profile contains 
> wrong path for samba sntp
> 
> Hi Louis,
> 
> So According to the information gleaned in #928168¹, adding a rule to 
> allow read access to winbindd pipe doesn’t seem necessary‽
> As far as I can see from my local tests, only read/write access to 
> /var/lib/samba/ntp_signd/socket is needed. Could you please confirm?
> 
> If so, chronyd’s Apparmor profile should just include (for samba ofc):
> /var/lib/samba/ntp_signd/socket rw,
> 
> Cheers,
> Vincent
> 
> 
> ¹ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928168
>

Bug#928170: chrony: Apparmor profile contains wrong path for samba sntp

2019-05-14 Thread Vincent Blut 

Hi Louis,

So According to the information gleaned in #928168¹, adding a rule to 
allow read access to winbindd pipe doesn’t seem necessary‽
As far as I can see from my local tests, only read/write access to 
/var/lib/samba/ntp_signd/socket is needed. Could you please confirm?


If so, chronyd’s Apparmor profile should just include (for samba ofc):
/var/lib/samba/ntp_signd/socket rw,

Cheers,
Vincent


¹ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928168


signature.asc
Description: PGP signature

Bug#928170: chrony: Apparmor profile contains wrong path for samba sntp

2019-04-29 Thread Vincent Blut 

Control: tags -1 moreinfo


Hi Louis,

On Mon, Apr 29, 2019 at 11:20:51AM +0200, Louis van Belle wrote:

Package: chrony
Severity: important

Hello, after a few messages on the samba list we discovered a wrong path in the 
apparmor profiles of chrony.

File : /etc/apparmor.d/usr.sbin.chrony
Wrong:
 # samba4 ntp signing socket
 /{,var/}run/samba/ntp_signd/socket rw,


We don’t have this rule in our AppArmor profile. I think that one is 
from ntpd, right?



Correct:
 # To sign replies to MS-SNTP clients by the smbd daemon in /var/lib/samba
 /var/lib/samba/ntp_signd r,
 /var/lib/samba/ntp_signd/{,*} rw,


These rules are already in the chronyd AppArmor profile.


 # samba4 winbindd pipe
 /{,var/}run/samba/winbindd r,
 /{,var/}run/samba/winbindd/pipe r,

 # samba4 winbindd_privileged pipe ? Needed, not sure here.
 /var/lib/samba/winbindd_privileged r,
 /var/lib/samba/winbindd/pipe r,


Ok, so before addding these changes to the profile, I would be more 
comfortable if someone could show me what access is currently denied on 
this kind of environment. Having the output of something like
`grep -s 'DENIED' /var/log/syslog /var/log/auditd/audit.log' would be 
great.

From what I can see, ntp’s Apparmor profile include:
# samba4 winbindd pipe
 /run/samba/winbindd/pipe rw,


please verify the last one, im not a coder, sorry.
Now, above changes are important to have before the buster release,
because it could stop the timesync of domain joined pc's.


Indeed, I think it is important to have this issue sorted out prior our 
next stable release.



Best regards,

Louis


Thanks for your report,
Vincent


signature.asc
Description: PGP signature

Bug#928170: chrony: Apparmor profile contains wrong path for samba sntp

2019-04-29 Thread Louis van Belle 
Package: chrony
Severity: important

Hello, after a few messages on the samba list we discovered a wrong path in the 
apparmor profiles of chrony.

File : /etc/apparmor.d/usr.sbin.chrony
Wrong:
  # samba4 ntp signing socket
  /{,var/}run/samba/ntp_signd/socket rw,

Correct:
  # To sign replies to MS-SNTP clients by the smbd daemon in /var/lib/samba
  /var/lib/samba/ntp_signd r,
  /var/lib/samba/ntp_signd/{,*} rw,

  # samba4 winbindd pipe
  /{,var/}run/samba/winbindd r,
  /{,var/}run/samba/winbindd/pipe r,

  # samba4 winbindd_privileged pipe ? Needed, not sure here.
  /var/lib/samba/winbindd_privileged r,
  /var/lib/samba/winbindd/pipe r,


please verify the last one, im not a coder, sorry.
Now, above changes are important to have before the buster release,
because it could stop the timesync of domain joined pc's.


Best regards,

Louis



-- System Information:
Debian Release: 9.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages chrony depends on:
ii  adduser  3.115
ii  init-system-helpers  1.48
ii  iproute2 4.9.0-1+deb9u1
ii  libc62.24-11+deb9u4
ii  libcap2  1:2.25-1
ii  libedit2 3.1-20160903-3
ii  libseccomp2  2.3.1-2.1+deb9u1
pn  libtomcrypt0 
ii  lsb-base 9.20161125
ii  ucf  3.0036
ii  util-linux   2.29.2-1+deb9u1

chrony recommends no packages.

chrony suggests no packages.