Cups rightfully includes nameservices like:
#include <abstractions/nameservice>
After our analysis in bug 1890858 I think it is fair to request an SRU
update apparmor in Focal (only needed there, see bug 1890858 for
details). As it would fix this element in Cups and actually in many
other potential places as well.
Adding "unix (bind) type=dgram addr=@userdb-*," in
abstractions/nameservice in Focal seems right to me.
---
Furthermore abstractions/nameservice already wants to allow sssd:
37 # When using sssd, the passwd and group files are stored in an alternate
path
38 # and the nss plugin also needs to talk to a pipe
39 /var/lib/sss/mc/group r,
40 /var/lib/sss/mc/initgroups r,
41 /var/lib/sss/mc/passwd r,
42 /var/lib/sss/pipes/nss rw,
I don't know if
/var/lib/sss/pipes/private/pam rw,
is a default configuration nor if it would be a safe path to allow.
But it could pretty much be.
If ok this one would likely be needed/wanted in >=Bionic into
abstractions/nameservice
---
Both changes IMHO would have to be done by the security Team in regard
to the apparmor package, therefore I'll add a bug task for this and
assign them to have a look.
** Also affects: apparmor (Ubuntu)
Importance: Undecided
Status: New
** Changed in: apparmor (Ubuntu)
Assignee: (unassigned) => Ubuntu Security Team (ubuntu-security)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1932537
Title:
CUPS + SSSD: cannot access local CUPS web interface with domain user
(apparmor problem)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1932537/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
