Public bug reported:
Hi,
I am just trying to install ejabberd in a fresh Ubuntu 16.04 LXD
container running on a 16.10 host.
I found that I cannot run ejabberdctl directly as root:
# ejabberdctl
/usr/sbin/ejabberdctl: line 428: 2886 Segmentation fault $EXEC_CMD "$CMD"
strace reveals what happens:
2861 execve("/bin/su", ["su", "ejabberd", "-c", "/usr/bin/erl -sname
ctl-2841-ejabberd -noinput -hidden -s ejabberd_ctl -extra
ejabberd "], [/* 23 vars */]) = -1 EACCES (Permission denied)
2861 --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---
2861 +++ killed by SIGSEGV +++
It is not allowed to execute su to become ejabberd, because apparmor does not
allow this:
[ 7827.594020] audit: type=1400 audit(1485515038.865:156): apparmor="DENIED"
operation="file_mmap" namespace="root//lxd-ansitest_<var-lib-lxd>"
profile="/usr/sbin/ejabberdctl//su" name="/bin/su" pid=12861 comm="su"
requested_mask="m" denied_mask="m" fsuid=165536 ouid=165536
But if I do it the other way round (i.e. su outside of ejabberdctl), it
works:
su ejabberd -c ejabberdctl
since then the su is not covered by the apparmor profile of ejabberdctl.
Is that behaviour intended?
** Affects: ejabberd (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1659801
Title:
apparmor rules block ejabberdctl
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ejabberd/+bug/1659801/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
