There are some options:
- Use traditional Unix groups to grant that user write access to the Apache
configuration files
- Use setfacl to grant that user write access to the Apache configuration files
These have the benefit of being simple.
- Allow sudo access to 'vim' or other favorite $EDITOR and use an
AppArmor "child profile" to confine what vim can do.
This has the benefit of not requiring permissions changes to
/etc/apache/, though it does mean someone may figure a way to use vim's
built-in scripting tools to kill root-owned processes still.
The child profile would look something like this:
/bin/ashell {
# ...
/usr/bin/vim Cx -> vim,
profile vim {
/usr/bin/vim ix,
# .. libs, online help, ~/.vimrc, etc
/etc/apache/** rw,
}
}
The child profile for the editor is just an attempt to reduce the
available tools for sending signals -- there's no more easy shell-
builtin available, though I wouldn't be surprised if vim makes a 'kill'
available somewhere.
This is an area where SELinux provides better confinement than AppArmor,
and it is something we're working on.
Thanks
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1089242
Title:
apparmor RBAC kill command issue
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1089242/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
