We talked about this at UDS Lucid and this is something I'd like to fix for
Lucid. Conceptually, this is not too hard, since all we should have to do is
adjust /etc/apparmor.d/tunables/home to have:
@{hom...@{homedirs}/*/ /root/
@{HOMEDIRS}=/home/ /home/*/
However, this gets quite complicated with rule evaluation, eg the tcpdump
profile has:
audit deny @{HOME}/bin/ rw,
audit deny @{HOME}/bin/** mrwkl,
@{HOME}/ r,
@{HOME}/** rw,
After making the above change to tunables, this evaluates to (omitting /root/):
audit deny /home/*/bin/ rw,
audit deny /home/*/*/bin/ rw,
audit deny /home/*/bin/** mrwkl,
audit deny /home/*/*/bin/** mrwkl,
/home/*/ r,
/home/*/*/ r,
/home/*/** rw,
/home/*/*/** rw,
This is at best overly complicated and at worst could change the profile
in unexpected ways. If we want to support both local and likewise
homedirs, I think something else needs to happen.
Would it be possible to change the default location of likewise? Eg, adjust
lwiauthd.conf (AIUI) to somewhere outside of /home would be ideal, but even
having:
template homedir = /home/likewise-open/%D/%U
would be an improvement. Then we could do:
@{hom...@{homedirs}/*/ /root/
@{HOMEDIRS}=/home/ /home/likewise-open/*/
which evaluates to (again, /root/ omitted):
audit deny /home/*/bin/ rw,
audit deny /home/likewise-open/*/*/bin/ rw,
audit deny /home/*/bin/** mrwkl,
audit deny /home/likewise-open/*/*/bin/** mrwkl,
/home/*/ r,
/home/likewise-open/*/*/ r,
/home/*/** rw,
/home/likewise-open/*/*/** rw,
This is much better, since only a system with a local user with home directory
of '/home/likewise-open' would have the problems described above. This seems
acceptable and easier than moving likewise outside of /home. If we do decide to
move the directory, I advise adjusting lwiauthd.conf to have:
# Changing template homedir will also require adjusting the AppArmor home
# tunable in /etc/apparmor.d/tunables/home for systems that use AppArmor.
# See https://wiki.ubuntu.com/DebuggingApparmor#Adjusting%20Tunables
# for details.
template homedir = /home/likewise-open/%D/%U
** Changed in: apparmor (Ubuntu)
Status: New => Confirmed
** Changed in: apparmor (Ubuntu)
Importance: Undecided => High
** Changed in: likewise-open (Ubuntu)
Importance: Medium => High
--
apparmor HOMEDIRS not adjusted for likewise
https://bugs.launchpad.net/bugs/274350
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to likewise-open in ubuntu.
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
