[Bug 1581310] [NEW] ubuntu-core doesn't allow sed -i (fchown syscall)

Thu, 12 May 2016 21:51:07 -0700 

Public bug reported:

Similar to bug 1580018, I'm not sure if the default apparmor profile is
not correct, or possibly this bug is invalid and `sed -i.bak` should be
denied.

AFAICT, the issue is that sed -i.bak tries a chown syscall on the backup
file in the $SNAP_USER_DATA directory, and the apparmor profile does not
allow that (perhaps for good reason).

michael@dev-xenial2:~/dev/todo.txt⟫ cat /snap/todo-txt/100001/test-sed.sh 
#! /bin/bash

echo "The quick brown fox jumped over the lazy dog" > 
$SNAP_USER_DATA/sed-test.txt
sed 's/quick/fast/' $SNAP_USER_DATA/sed-test.txt | tee 
$SNAP_USER_DATA/sed-output.txt
sed -i.bak 's/quick/fast/' $SNAP_USER_DATA/sed-test.txt
chown

michael@dev-xenial2:~/dev/todo.txt⟫ todo-txt.test-sed 
The fast brown fox jumped over the lazy dog
/snap/todo-txt/100001/test-sed.sh: line 5: 11763 Bad system call         sed 
-i.bak 's/quick/fast/' $SNAP_USER_DATA/sed-test.txt
/snap/todo-txt/100001/test-sed.sh: line 6: /bin/chown: Permission denied

126 michael@dev-xenial2:~/dev/todo.txt⟫ ls -l ~/snap/todo-txt/100001/
total 12
-rw-rw-r-- 1 michael michael 44 May 13 04:30 sed-output.txt
-rw-rw-r-- 1 michael michael 45 May 13 04:30 sed-test.txt
---------- 1 michael michael 44 May 13 04:30 sedwCnCDY

michael@dev-xenial2:~/dev/todo.txt⟫ dmesg -H | tail -n3
[ +39.843825] audit: type=1326 audit(1463113859.687:232): auid=1001 uid=1001 
gid=1001 ses=4 pid=11763 comm="sed" exe="/bin/sed" sig=31 arch=c000003e 
syscall=93 compat=0 ip=0x7f8428874a77 code=0x0
[  +0.001342] audit: type=1400 audit(1463113859.691:233): apparmor="DENIED" 
operation="exec" profile="snap.todo-txt.test-sed" name="/bin/chown" pid=11764 
comm="test-sed.sh" requested_mask="x" denied_mask="x" fsuid=1001 ouid=0
[  +0.000100] audit: type=1400 audit(1463113859.691:234): apparmor="DENIED" 
operation="open" profile="snap.todo-txt.test-sed" name="/bin/chown" pid=11764 
comm="test-sed.sh" requested_mask="r" denied_mask="r" fsuid=1001 ouid=0

michael@dev-xenial2:~/dev/todo.txt⟫ scmp_sys_resolver 93
fchown

** Affects: snapd (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1581310

Title:
  ubuntu-core doesn't allow sed -i (fchown syscall)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1581310/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to