https://bugzilla.novell.com/show_bug.cgi?id=876108 https://bugzilla.novell.com/show_bug.cgi?id=876108#c2 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com, | |security-team@suse.de --- Comment #2 from Marcus Meissner 2014-05-02 10:58:54 UTC --- it is actually the new kernel symlink protection triggering, and not apparmor. /usr/include/linux/audit.h:#define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */ Linux Kernel Documentation/sysctl/fs.txt: protected_symlinks: A long-standing class of security issues is the symlink-based time-of-check-time-of-use race, most commonly seen in world-writable directories like /tmp. The common method of exploitation of this flaw is to cross privilege boundaries when following a given symlink (i.e. a root process follows a symlink belonging to another user). For a likely incomplete list of hundreds of examples across the years, please see: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=/tmp When set to "0", symlink following behavior is unrestricted. When set to "1" symlinks are permitted to be followed only when outside a sticky world-writable directory, or when the uid of the symlink and follower match, or when the directory owner matches the symlink's owner. This protection is based on the restrictions in Openwall and grsecurity. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=876108 https://bugzilla.novell.com/show_bug.cgi?id=876108#c4 Harald Koenig changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution| |INVALID --- Comment #4 from Harald Koenig 2014-05-02 13:20:38 UTC --- (In reply to comment #1)

This means you would have to find out what particular applications missed to remove their PPDs when no longer needed and file separated bug reports for each of them (for an example see bnc#338095).

just for reference: the application in question was/is acroread-9.5.5. it creates 4 symlinks per print-request:-( so obviously this is a non-issue for opensuse... thanks for your help and insights! Harald -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=876108 https://bugzilla.novell.com/show_bug.cgi?id=876108#c Johannes Meixner changed: What |Removed |Added ---------------------------------------------------------------------------- Component|AppArmor |Other Platform|x86-64 |All Found By|--- |Community User Summary|cups /tmp/* symlinks and |Adobe Reader leaves PPD |kernel audit log |file symlinks in /tmp/ and | |kernel symlink protection OS/Version|Other |openSUSE 13.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.