Public bug reported: Hi All,
I would like to use Apparmor to confine a user that just has the permission to restart apache2 accroding to http://wiki.apparmor.net/index.php/RBAC_2_0#How_can_AppArmor_be_combined_with_sudo_to_provide_RBAC.3F I created a hard link of SHELL and used aa-genprof /bin/ashell and updated it using aa-logprof. Then edited the sudo file. user ALL=(ALL:ALL) /bin/ashell Everything worked fine. But later I found a problem that the user can kill processes whose owner are root eg. ssh (can't kill ntp process because its owner is ntp) Bellow is the profile: #include <tunables/global> /bin/ashell{ #include <abstractions/apache2-common> #include <abstractions/base> #include <abstractions/ubuntu-konsole> capability dac_override, capability setgid, capability setuid, capability sys_ptrace, capability sys_resource, /bin/cat rix, /bin/grep rix, /bin/lesspipe rix, /bin/ls rix, /bin/mkdir rix, /bin/plymouth rix, /bin/rm rix, /bin/sed rix, /bin/sleep rix, /bin/songbash mr, /bin/uname rix, /etc/apache2/apache2.conf r, /etc/apache2/conf.d/ r, /etc/apache2/conf.d/* r, /etc/apache2/envvars r, /etc/apache2/httpd.conf r, /etc/apache2/mods-available/* r, /etc/apache2/mods-enabled/ r, /etc/apache2/ports.conf r, /etc/apache2/sites-available/default r, /etc/apache2/sites-enabled/ r, /etc/bash.bashrc r, /etc/bash_completion r, /etc/bash_completion.d/ r, /etc/default/apache2 r, /etc/default/rcS r, /etc/init.d/apache2 rix, /etc/inputrc r, /etc/lsb-base-logging.sh r, /etc/mime.types r, /home/*/.bash_history rw, /home/*/.bashrc r, /proc/ r, /proc/*/cmdline r, /proc/*/stat r, /proc/cmdline r, /run/apache2.pid rw, /run/apache2/ r, /run/apache2/cgisock.14207 w, /run/apache2/cgisock.14258 w, /run/apache2/cgisock.14300 w, /run/lock/apache2/ r, /sbin/killall5 rix, /usr/bin/basename rix, /usr/bin/dircolors rix, /usr/bin/dirname rix, /usr/bin/env rix, /usr/bin/expr rix, /usr/bin/groups rix, /usr/bin/install rix, /usr/bin/tput rix, /usr/bin/tr rix, /usr/lib/apache2/mpm-worker/apache2 rix, /usr/lib{,32,64}/** mr, /usr/sbin/apache2ctl rix, /usr/sbin/service rix, /usr/share/GeoIP/GeoIP.dat r, /var/log/apache2/access.log w, /var/log/apache2/error.log w, /var/log/apache2/other_vhosts_access.log w, /var/log/apache2/write.log w, } ** Affects: apparmor (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1089242 Title: apparmor RBAC kill command issue To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1089242/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
