[Bug 1228485] Re: smbd and nmbd can start up before their respective apparmor profiles are loaded
@Steve it is *reasonable* to have this in the upstart smb.conf configuration because the apparmor profiles package does carry smbd and nmbd apparmor profiles. Also, I am not asking for this in all upstart init configuration files just in smbd nmbd which *historically* (samba) are prone to security flaws and *both* samba and nmbd run as root. Please consider re-opening this bug and resolving this issue. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1228485 Title: smbd and nmbd can start up before their respective apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1228485/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1228485] Re: smbd and nmbd can start up before their respective apparmor profiles are loaded
I'll just note here that as per the apparmor man page it is possible to ensure that the samba and nmbd apparmor profiles are enforced by symlinking to their apparmor profiles in the /etc/apparmor/init/network- interface-security directory. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1228485 Title: smbd and nmbd can start up before their respective apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1228485/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1228485] Re: smbd and nmbd can start up before their respective apparmor profiles are loaded
ah, I overlooked the apparmor-profiles package, which I don't have installed here. In that case, yes, it would be reasonable to provide proper support for this in the samba package. Note that if this is going to be in the samba upstart jobs, then, it needs to be guarded by a check for the existence of /lib/init/apparmor- profile-load. See the cups job for an example. ** Changed in: samba (Ubuntu) Status: Invalid = Triaged ** Tags removed: patch -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1228485 Title: smbd and nmbd can start up before their respective apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1228485/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1228485] Re: smbd and nmbd can start up before their respective apparmor profiles are loaded
This is not an appropriate change to apply to the samba package in its current form, because we are not shipping an apparmor profile for either smbd or nmbd by default. If you have a local apparmor profile, you will need to be responsible for local modifications as well. It's not reasonable to have each upstart job provide apparmor integration that won't be used on most systems (and indeed, the upstart jobs need to run correctly on systems that don't have apparmor installed - e.g., in Debian). ** Changed in: samba (Ubuntu) Status: New = Invalid -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1228485 Title: smbd and nmbd can start up before their respective apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1228485/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1228485] Re: smbd and nmbd can start up before their respective apparmor profiles are loaded
Ignore the previous two patch comments, I will attach the patches to this bug. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1228485 Title: smbd and nmbd can start up before their respective apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1228485/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1228485] Re: smbd and nmbd can start up before their respective apparmor profiles are loaded
Diff for smbd:
diff --git a/etc/init/smbd.conf b/etc/init/smbd.conf
index 3e85ea4..cdb077c 100644
--- a/init/smbd.conf
+++ b/init/smbd.conf
@@ -14,6 +14,7 @@ pre-start script
[ $RUN_MODE = inetd ] { stop; exit 0; }
install -o root -g root -m 755 -d /var/run/samba
+ /lib/init/apparmor-profile-load usr.sbin.smbd
end script
exec smbd -F
** Description changed:
- It is possible for smbd and nmbd to start up before their respective apparmor
profiles are loaded. This can be fixed by adding a
- /lib/init/apparmor-profile-load $daemon_location to the pre-start script of
the smbd and nmdb upstart init configuration files.
+ It is possible for smbd and nmbd to start up before their respective apparmor
profiles are loaded. This can be fixed by adding a
+ /lib/init/apparmor-profile-load $daemon_location to the pre-start script of
the smbd and nmbd upstart init configuration files.
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1228485
Title:
smbd and nmbd can start up before their respective apparmor profiles
are loaded
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1228485/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1228485] Re: smbd and nmbd can start up before their respective apparmor profiles are loaded
Diff for nmbd:
diff --git a/etc/init/nmbd.conf b/etc/init/nmbd.conf
index 908c284..8aa4ffb 100644
--- a/init/nmbd.conf
+++ b/init/nmbd.conf
@@ -11,6 +11,7 @@ pre-start script
[ -f /etc/samba/smb.conf ] || { stop; exit 0; }
install -o root -g root -m 755 -d /var/run/samba
+ /lib/init/apparmor-profile-load usr.sbin.nmbd
NMBD_DISABLED=`testparm -s --parameter-name='disable netbios'
2/dev/null || true`
[ x$NMBD_DISABLED = xYes ] { stop; exit 0; }
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1228485
Title:
smbd and nmbd can start up before their respective apparmor profiles
are loaded
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1228485/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1228485] Re: smbd and nmbd can start up before their respective apparmor profiles are loaded
** Patch added: nmbd.conf.diff https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1228485/+attachment/3832773/+files/nmbd.conf.diff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1228485 Title: smbd and nmbd can start up before their respective apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1228485/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1228485] Re: smbd and nmbd can start up before their respective apparmor profiles are loaded
** Patch added: smbd.conf.diff https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1228485/+attachment/3832772/+files/smbd.conf.diff -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1228485 Title: smbd and nmbd can start up before their respective apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1228485/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 1228485] Re: smbd and nmbd can start up before their respective apparmor profiles are loaded
The attachment smbd.conf.diff seems to be a patch. If it isn't, please remove the patch flag from the attachment, remove the patch tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to samba in Ubuntu. https://bugs.launchpad.net/bugs/1228485 Title: smbd and nmbd can start up before their respective apparmor profiles are loaded To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1228485/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
