"deny capability chown" was initially added for the PID file, see [1].
Failing to chown the PID or the control socket is only logged at higher
log level specifically to not generate noise when the chown capability
isn't available, see [2,3]. The "capability fowner" was removed based on
[4].

Currently, the unbound control socket is only accessible to root
requiring one to use "sudo unbound-control" (aka the bug at hand):

  $ ll /run/unbound.ctl 
  srw-rw---- 1 root root 0 Feb 23 18:40 /run/unbound.ctl=

Re-introducing the chown/fowner caps would give us:

  $ ll /run/unbound.ctl
  srw-rw---- 1 unbound unbound 0 Feb 23 18:38 /run/unbound.ctl=

which would fix the bug at the expense of those additional caps.

I'd vote in favor of re-introducing the capability for the sake of not
having Apparmor "getting in the way". If that's OK with everyone, I'd
send the patch to Debian as well.


1: 
https://code.launchpad.net/~sdeziel/apparmor-profiles/unbound-refresh/+merge/282230
2: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=734
3: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1332
4: https://lists.ubuntu.com/archives/apparmor/2016-January/009278.html


** Bug watch added: www.nlnetlabs.nl/bugs-script/ #734
   http://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=734

** Bug watch added: www.nlnetlabs.nl/bugs-script/ #1332
   http://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=1332

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1749931

Title:
  unbound-control local socket  broken by apparmor

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unbound/+bug/1749931/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to