Kinetic is EOL.
** Changed in: apparmor (Ubuntu Kinetic)
Status: Fix Committed => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1993572
Title:
samba profile: missing rule for mkdir /var/cache/samba/printing
Status in apparmor package in Ubuntu:
Fix Released
Status in apparmor source package in Kinetic:
Won't Fix
Bug description:
[ Impact ]
Users who chose to:
a) install apparmor-profiles (a package with extra optional apparmor
profiles, including samba)
b) change the samba related profiles from complain (the default) to
enforce mode
will find out that sharing a printing in samba and using it won't
work.
In by itself this is *definitely* not worth an SRU for apparmor, which
impacts all users of Ubuntu (because it's installed everywhere). But,
if apparmor is to be updated for another more important reason, then
this fix could be bundled together with it. Therefore I'm adding the
block-proposed-kinetic tag to this bug.
[ Test Plan ]
sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
sudo apt install samba smbclient cups cups-client
Set a password for the samba "root" user:
printf "root\nroot\n" | sudo smbpasswd -a root
Create a fake printer:
sudo lpadmin -p testprinter -E -v /dev/null
Check it's there:
sudo lpstat -l -p testprinter
Probe it via samba:
rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
(some printer related output, or even an error, doesn't matter)
Check dmesg and look for an apparmor ALLOWED message:
[497031.827841] audit: type=1400 audit(1669215188.733:555):
apparmor="ALLOWED" operation="mkdir" class="file"
namespace="root//lxd-l-samba-apparmor_<var-snap-lxd-common-lxd>"
profile="samba-rpcd-spoolss" name="/var/cache/samba/printing/" pid=388168
comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000
ouid=1000000
With the updated package, there should be no apparmor message for
samba-rpcd-spoolss.
NOTE: since, for this test, we are not switching the apparmor profile
to enforce mode, this means that the mkdir attempted by rpcd_spoolss
will succeed, and if you try the rpcclient command one more time,
there will be no further apparmor messages about it in the logs.
[ Where problems could occur ]
This change is adding an apparmor rule to a samba-related apparmor
profile. Without this rule (and with the apparmor profile in confine
mode), then printing does not work, so regressing that aspect of it is
hard.
Maybe some exotic future security vulnerability could take advantage
of this new apparmor rule which allows writing to (and therefore
deleting from) /var/cache/samba/printing.
What's more likely perhaps (but still rare) is that an apparmor
upgrade, which triggers all apparmor profiles to be reloaded, would
find some error in an existing profile and fail to load it, and
perhaps stop loading all other profiles after that, perhaps leaving
the system without confinement. But this should be caught by the
upgrade process since postinst would exit non-zero (hopefully).
[ Other Info ]
Not at this time.
[Original Description]
After the fix for bug #1990692, one more rule is needed it seems.
I put all samba profiles in enforce mode, and when I ran that final
rpcclient command, got an error and an apparmor denied message:
Prep:
sudo apt install apparmor-profiles apparmor-utils apparmor-profiles-extra
sudo apt install samba smbclient cups cups-client
Set a password for the samba "root" user:
printf "root\nroot\n" | sudo smbpasswd -a root
Create a fake printer:
sudo lpadmin -p testprinter -E -v /dev/null
Check it's there:
sudo lpstat -l -p testprinter
$ rpcclient -Uroot%root localhost -c 'getprinter testprinter 2'
cli_rpc_pipe_open_noauth: rpc_pipe_bind for pipe spoolss failed with error
NT_STATUS_CONNECTION_DISCONNECTED
do_cmd: Could not initialise spoolss. Error was
NT_STATUS_CONNECTION_DISCONNECTED
[qua out 19 14:42:36 2022] audit: type=1400 audit(1666201357.627:342):
apparmor="DENIED" operation="mkdir" class="file" namespace="root//lxd-
k-samba-apparmor_<var-snap-lxd-common-lxd>" profile="samba-rpcd-
spoolss" name="/var/cache/samba/printing/" pid=129107
comm="rpcd_spoolss" requested_mask="c" denied_mask="c" fsuid=1000000
ouid=1000000
And indeed, that directory wasn't created:
$ l /var/cache/samba/printing
ls: cannot access '/var/cache/samba/printing': No such file or directory
$ l /var/cache/samba/
total 16K
drwxr-xr-x 1 root root 48 Oct 19 17:42 .
drwxr-xr-x 1 root root 170 Oct 19 17:41 ..
-rw-r--r-- 1 root root 166 Oct 19 17:42 browse.dat
-rw-r--r-- 1 root root 8.7K Oct 19 17:42 smbprofile.tdb
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1993572/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
