[Bug 870607] New: winbind profile needs access to /var/tmp/$hostname-044_$uid
https://bugzilla.novell.com/show_bug.cgi?id=870607 https://bugzilla.novell.com/show_bug.cgi?id=870607#c0 Summary: winbind profile needs access to /var/tmp/$hostname-044_$uid Classification: openSUSE Product: openSUSE Factory Version: 13.2 Milestone 0 Platform: All OS/Version: openSUSE 13.2 Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor AssignedTo: suse-beta@cboltz.de ReportedBy: lmuelle@suse.com QAContact: qa-bugs@suse.de CC: samba-maintainers@SuSE.de Found By: Development Blocker: No
From the syslog we know:
name="/var/tmp/linux-044_10001" pid=4260 comm="winbindd" requested_mask="c" denied_mask="c" fsuid=10001 ouid=10001 Do we need to add a line like /var/tmp/@{HOSTNAME}-*/** rw, to /etc/apparmor.d/usr.sbin.winbindd ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c1
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c2
--- Comment #2 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c3
--- Comment #3 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c4
--- Comment #4 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c6
--- Comment #6 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c7
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c8
--- Comment #8 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c9
--- Comment #9 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c10
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c11
--- Comment #11 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c12
--- Comment #12 from Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c13
--- Comment #13 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c15
Christian Boltz
Would it be ok to limit (rw) access for winbindd to /var/cache/krb5rcache/ (KRB5RCACHEDIR)?
(In reply to comment #11)
That's how the permissions would look like in the directory:
vejle:~ # LC_ALL=POSIX ls -al /var/cache/krb5rcache/ total 4 drwxrwx--- 1 root root 30 Apr 1 16:11 . drwxr-xr-x 1 root root 170 Apr 1 15:59 .. -rw------- 1 LURCH\larsm root 165 Apr 1 16:11 vejle-044_10000
Allowing a directory that is only writeable for a specific user (in this case root or someone in the root group - typically only root) is _much_ better than /var/tmp/ where everybody can do funny stuff. Your SR looks good at the first look, but I'll give it a second look before accepting it (might take some days - I'm too busy at the moment :-( ) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c16
--- Comment #16 from Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c17
Lars Müller
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c18
--- Comment #18 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c19
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c20
--- Comment #20 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c21
Christian Boltz
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c22
--- Comment #22 from Lars Müller
For the records: Commited to upstream trunk r2461 - AppArmor 2.9 beta2 will contain it.
Thanks!
Lars, IMHO it would make sense to make /var/cache/krb5rcache (instead of /var/tmp/) the default KRB5RCACHEDIR in samba. Can you please send a patch upstream? ;-)
Making /var/cache/krb5rcache the default KRB5RCACHEDIR might not be the approach to fit all UNIX like systems. Some don't have /var/cache/ at all. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c23
--- Comment #23 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=870607
https://bugzilla.novell.com/show_bug.cgi?id=870607#c24
--- Comment #24 from Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=870607
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=870607
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=870607
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=870607
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=870607
--- Comment #25 from Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=870607
--- Comment #26 from Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=870607
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=870607
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=870607
Swamp Workflow Management
participants (1)
-
bugzilla_noreply@novell.com