https://bugzilla.novell.com/show_bug.cgi?id=738041 https://bugzilla.novell.com/show_bug.cgi?id=738041#c7 --- Comment #7 from Christian Boltz <suse-beta@cboltz.de> 2011-12-23 18:08:57 CET --- (In reply to comment #6)
I guess that if someone use ldapsmb and n o smbldap-tools he should use something like /usr/sbin/ldapsmb rux,
I 'm not sure this perms are the most secure or not maybe some apparmor guru can check this.
/etc/netgroup r,
No problem IMHO.
/bin/bash ix,
Even if I'm somewhat surprised why this is needed, your log sniplet from comment #5 shows that you need it for some reason. (Maybe smbd starts a bash first to start the perl script?) And "ix" for bash shouldn't be a problem.
/usr/sbin/smbldap-useradd rux,
"rux" is not a good idea because it runs smbldap-useradd unconfined (without any AppArmor protection) and additionally doesn't cleanup the environment variables. Better use "Px" (to use a separate profile which is always used when someone calls smbldap-useradd) or "Cx" to make it a child profile ("smbldap-useradd called by smbd"). I don't know if/how smbldap-useradd elsewhere, so I can't recommend which way is better - however the general rule of thumb is that a separate profile might be better because it also covers usage of smbldap-useradd if not called by smbd. Your report sounds like you are editing the profile manually. While this is of course possible, there are tools to make it easier ;-) Short HowTo: - optional: run "old /var/log/audit.log ; rcauditd restart" to start with a clean audit.log - remove the line for smbldap-useradd from your smbd profile - run "aa-complain usr.sbin.smbd" to switch the profile to learning mode (this will also reload the profile) - run samba for a while, and make sure it calls smbldap-useradd - run "aa-logprof" to update the profile (and enter "p" or "c" when it asks how to execute smbldap-useradd) - and finally switch back to enforce mode with "aa-enforce usr.sbin.smbd" Then tell me the needed additions to the smbd profile, and attach the profile for smbldap-useradd. If possible, also attach your audit.log to this bugreport in case I want to check some details (for example, if a list of filenames or a * makes more sense in the profile). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.