Upstream apparmor fix at https://gitlab.com/apparmor/apparmor/-/merge_requests/1819. I intend to SRU this fix in as a bundle along with other AppArmor fixes.
** Description changed: + [ Impact ] + + tnftp is unable to access the ~/.netrc configuration file, which it uses + in order to load login information and automatically login to FTP + servers as stored in the config. Without this config, automatic login + functionality is broken. + + [ Test Plan ] + + On a (Plucky|Questing|Resolute) machine, + - Install tnftp, if it isn't installed already + - Create a ~/.netrc file and populate it with the line "default login anonymous password user@site". + - Attempt to download a file using FTP, e.g. `tnftp ftp://mirror.us.leaseweb.net/ubuntu-releases/robots.txt` + - Without the patch: tnftp is unable to read ~/.netrc and generates a permission denial error + - With the patch: tnftp is able to read and use ~/.netrc + + [ Where problems could occur ] + + The additions to the tnftp profile are loosening confinement. However, + if a user manually modified the installed profiles, then the package + upgrade would cause conflicts, and rejection of the incoming changes + (either by hand during an interactive upgrade or automatically during an + batch unattended upgrade) would result in end users not getting the + packaged fix. + + [ Other Info ] + + -------Original report: + Version of Ubuntu: 25.04 Version of tnftp: 20230507-2build3 What is expected to happen: FTP credentials are put in the file $HOME/.netrc with permissions 600, and are read by tnftp to log in to the remote server. What happens: On starting tnftp it attempts to open the file $HOME/.netrc which fails with the following error message: ftp: Can't read `.netrc': Permission denied Origin of the bug: I tracked it down to the default AppArmor policy in /etc/apparmor.d/abstractions/private-files and specifically the block: - # don't allow reading/updating of run control files - deny @{HOME}/.*rc mrk, + # don't allow reading/updating of run control files + deny @{HOME}/.*rc mrk, Proposed bug fix: Add the following line to the tnftp AppArmor policy: - priority=100 allow owner @{HOME}/.netrc r, + priority=100 allow owner @{HOME}/.netrc r, The priority=100 is necessary because `deny` executes after `allow`. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2127491 Title: AppArmor policy prevents reading from $HOME/.netrc To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/2127491/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
