[Bug 921098] New: winbindd 4.2.0 panics on start-up when Apparmor is enabled
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 Bug ID: 921098 Summary: winbindd 4.2.0 panics on start-up when Apparmor is enabled Classification: openSUSE Product: openSUSE Factory Version: 201502* Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: AppArmor Assignee: suse-beta@cboltz.de Reporter: ddiss@suse.com QA Contact: qa-bugs@suse.de CC: samba-maintainers@SuSE.de Found By: --- Blocker: --- Hi Christian, With Samba 4.2.0, currently queued for openSUSE:Factory via OBS req 289602, a new DGM messaging subsystem is introduced. This subsystem uses /var/lib/samba/$PID paths for locking and synchronosation. The use of these paths is currently blocked for winbindd by AppArmor, resulting in a panic on startup: [2015/03/06 15:06:47, 1, pid=2244, effective(0, 0), real(0, 0)] ../source3/lib/messages_dgm.c:113(messaging_dgm_lockfile_create) messaging_dgm_lockfile_create: open failed: Permission denied [2015/03/06 15:06:47, 1, pid=2244, effective(0, 0), real(0, 0)] ../source3/lib/messages_dgm.c:233(messaging_dgm_init) messaging_dgm_init: messaging_dgm_create_lockfile failed: Permission denied [2015/03/06 15:06:47, 2, pid=2244, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:295(messaging_init) messaging_dgm_init failed: Permission denied [2015/03/06 15:06:47, 0, pid=2244, effective(0, 0), real(0, 0)] ../source3/lib/util.c:788(smb_panic_s3) PANIC (pid 2244): Could not init winbindd's messaging context. The Apparmor profile should permit winbindd full access to these paths, like smbd. Please consider the following patch: --- /etc/apparmor.d/usr.sbin.winbindd.old 2015-03-06 16:24:28.369731700 +0100 +++ /etc/apparmor.d/usr.sbin.winbindd 2015-03-06 16:25:02.925731700 +0100 @@ -25,12 +25,8 @@ /var/cache/samba/*.tdb rwk, /var/cache/samba/netsamlogon_cache.tdb rw, - /var/lib/samba/smb_krb5/krb5.conf.* rw, - /var/lib/samba/smb_tmp_krb5.* rw, - /var/lib/samba/**.tdb rwk, + /var/lib/samba/** rwk, - /var/lib/samba/winbindd_cache.tdb* rwk, - /var/lib/samba/winbindd_privileged/pipe w, /var/log/samba/cores/ rw, /var/log/samba/cores/winbindd/ rw, /var/log/samba/cores/winbindd/** rw, -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 --- Comment #1 from David Disseldorp <ddiss@suse.com> --- (In reply to David Disseldorp from comment #0)
The Apparmor profile should permit winbindd full access to these paths, like smbd.
Hmm, looks like abstractions/samba would be the best place to fix this, as it's included by usr.sbin.smbd and usr.sbin.winbindd . Additionally, Winbind requires /etc/samba/netlogon_creds_cli.tdb rwk access. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 --- Comment #2 from David Disseldorp <ddiss@suse.com> --- The list goes on... Mar 06 17:11:34 fater winbindd[2505]: [2015/03/06 17:11:34.416409, 0, pid=2505, effective(0, 0), real(0, 0)] ../lib/util/util.c:220(directory_create_or_exist) Mar 06 17:11:34 fater winbindd[2505]: mkdir failed on directory /etc/samba/smbd.tmp: Permission denied Mar 06 17:11:34 fater winbindd[2505]: [2015/03/06 17:11:34.417359, 0, pid=2505, effective(0, 0), real(0, 0)] ../source3/lib/util.c:788(smb_panic_s3) Mar 06 17:11:34 fater winbindd[2505]: PANIC (pid 2505): Could not init winbindd's messaging context. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ddiss@suse.com Flags| |needinfo?(ddiss@suse.com) --- Comment #3 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to David Disseldorp from comment #1)
(In reply to David Disseldorp from comment #0)
The Apparmor profile should permit winbindd full access to these paths, like smbd.
Hmm, looks like abstractions/samba would be the best place to fix this, as it's included by usr.sbin.smbd and usr.sbin.winbindd .
FYI: abstractions/samba is also included by usr.sbin.nmbd, and the changes you propose are quite permissive (whole directory instead of some individual files). Do you see any security risks in giving nmbd those additional permissions? BTW: You should probably switch your samba profiles into complain mode with aa-complain, run samba for a while and then update the profiles with aa-logprof. That's easier than fixing one permission at a time and running into the next a minute later. Don't forget to switch the profiles back to enforce mode with aa-enforce afterwards ;-) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 --- Comment #4 from David Disseldorp <ddiss@suse.com> --- (In reply to Christian Boltz from comment #3)
(In reply to David Disseldorp from comment #1)
(In reply to David Disseldorp from comment #0)
The Apparmor profile should permit winbindd full access to these paths, like smbd.
Hmm, looks like abstractions/samba would be the best place to fix this, as it's included by usr.sbin.smbd and usr.sbin.winbindd .
FYI: abstractions/samba is also included by usr.sbin.nmbd, and the changes you propose are quite permissive (whole directory instead of some individual files). Do you see any security risks in giving nmbd those additional permissions?
I'm not aware of any additional risks associated with allowing full /var/lib/samba access. In general, Samba processes expect to be able to use this directory for arbitrary state storage and IPC under the constraint of the filesystem ACLs.
BTW: You should probably switch your samba profiles into complain mode with aa-complain, run samba for a while and then update the profiles with aa-logprof. That's easier than fixing one permission at a time and running into the next a minute later. Don't forget to switch the profiles back to enforce mode with aa-enforce afterwards ;-)
Will do, thanks for the tip. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 David Disseldorp <ddiss@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gorgoglione@gmail.com --- Comment #5 from David Disseldorp <ddiss@suse.com> --- *** Bug 923201 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 --- Comment #6 from Christian Boltz <suse-beta@cboltz.de> --- To sum up this report (including the additions from the comments) - the needed additions for winbindd are: /etc/samba/netlogon_creds_cli.tdb rwk, /etc/samba/smbd.tmp/ rw, /var/lib/samba/** rwk, Besides creating the /etc/samba/smbd.tmp/ directory, does winbindd need to read or write any files in it? Are any other additions needed? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 Noel Power <nopower@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |nopower@suse.com --- Comment #7 from Noel Power <nopower@suse.com> --- (In reply to Christian Boltz from comment #6)
Besides creating the /etc/samba/smbd.tmp/ directory, does winbindd need to read or write any files in it?
winbindd does create a msg subdirectory (e.g. /etc/samba/smbd.tmp/msg), in that 'msg' directory it additionally creates a msg.<some id> file and also seems to create a names.tdb file -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 --- Comment #8 from Christian Boltz <suse-beta@cboltz.de> --- To make sure I get it right - in which directory is names.tdb created? Which permissions are needed for /etc/samba/smbd.tmp/msg/msg.* - rw or rwk? The easiest way is to attach the audit.log, because that ensures I get the permissions correct ;-) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 --- Comment #9 from Noel Power <nopower@suse.com> --- Created attachment 629570 --> http://bugzilla.opensuse.org/attachment.cgi?id=629570&action=edit audit.log -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 --- Comment #10 from Noel Power <nopower@suse.com> --- (In reply to Christian Boltz from comment #8)
To make sure I get it right - in which directory is names.tdb created? msg.xyz & names.tdb are created in /etc/samba/smbd.tmp/msg
Which permissions are needed for /etc/samba/smbd.tmp/msg/msg.* - rw or rwk?
The easiest way is to attach the audit.log, because that ensures I get the permissions correct ;-) attached,
-- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 Noel Power <nopower@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #629570|0 |1 is obsolete| | --- Comment #11 from Noel Power <nopower@suse.com> --- Created attachment 629575 --> http://bugzilla.opensuse.org/attachment.cgi?id=629575&action=edit new version of audit.log I added the entries /etc/samba/netlogon_creds_cli.tdb rwk, /etc/samba/smbd.tmp/ rw, /var/lib/samba/** rwk, to the winbind profile and reran, I think the previous output is useless for you without the changes (sorry, I wasn't reading through thoroughly enough) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #12 from Christian Boltz <suse-beta@cboltz.de> --- I'll (finally - sorry for the delay!) submit the package with updated profiles in some minutes. If something is still missing, please reopen or open another bugreport. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 David Disseldorp <ddiss@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(ddiss@suse.com) | --- Comment #14 from David Disseldorp <ddiss@suse.com> --- (In reply to Christian Boltz from comment #12)
I'll (finally - sorry for the delay!) submit the package with updated profiles in some minutes.
If something is still missing, please reopen or open another bugreport.
Thanks Christian, much appreciated! -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 http://bugzilla.opensuse.org/show_bug.cgi?id=921098#c15 --- Comment #15 from Noel Power <nopower@suse.com> --- Created attachment 642400 --> http://bugzilla.opensuse.org/attachment.cgi?id=642400&action=edit tweaks to the apparmor profile that seems to fix this on tumbleweed -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 http://bugzilla.opensuse.org/show_bug.cgi?id=921098#c16 Noel Power <nopower@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED |--- --- Comment #16 from Noel Power <nopower@suse.com> --- unfortunately tumbleweed and latest SLE12-sp1(alpha2) share similar problems, seems we missed some things in the profiles still see proposed fix in attachment mentioned in comment #15 -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 http://bugzilla.opensuse.org/show_bug.cgi?id=921098#c17 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(nopower@suse.com) --- Comment #17 from Christian Boltz <suse-beta@cboltz.de> --- (In reply to Noel Power from comment #16)
unfortunately tumbleweed and latest SLE12-sp1(alpha2) share similar problems, seems we missed some things in the profiles still
see proposed fix in attachment mentioned in comment #15
+++ old/usr.sbin.nmbd 2015-07-29 20:07:14.230667945 +0100
+ /var/lib/samba/** rwk,
That is already covered via abstractions/samba (in Tumbleweed, not sure about SLE), so I don't see the need to add it to the nmbd profile. (Do you have some *.rpmnew in /etc/apparmor.d/ on your system?)
+++ old/usr.sbin.winbindd 2015-07-29 20:06:25.099322583 +0100
+ /etc/samba/smbd.tmp/** rwk, /etc/samba/smbd.tmp/msg/ rw, /etc/samba/smbd.tmp/msg/* rw,
That might be too much ;-) A quick test ("rcwinbindd start") shows missing k permissions for /etc/samba/smbd.tmp/msg/names.tdb. Therefore I propose: (winbindd profile) - /etc/samba/smbd.tmp/msg/* rw, + /etc/samba/smbd.tmp/msg/* rwk, Can you please check if this is enough? (If not, what are the actual filenames that need rwk permissions?) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 http://bugzilla.opensuse.org/show_bug.cgi?id=921098#c18 --- Comment #18 from Noel Power <nopower@suse.com> --- (In reply to Christian Boltz from comment #17)
(In reply to Noel Power from comment #16)
unfortunately tumbleweed and latest SLE12-sp1(alpha2) share similar problems, seems we missed some things in the profiles still
see proposed fix in attachment mentioned in comment #15
+++ old/usr.sbin.nmbd 2015-07-29 20:07:14.230667945 +0100
+ /var/lib/samba/** rwk,
That is already covered via abstractions/samba (in Tumbleweed, not sure about SLE), so I don't see the need to add it to the nmbd profile. (Do you have some *.rpmnew in /etc/apparmor.d/ on your system? you're correct, I think I was confused by a combination of testing before/after a dup (my tumbleweed was quite old) and a fresh install of tumblewee and additionally testing SLE12 (and getting a little mixed up)
and /var/lib/samba/** rwk, this isn't in samba/abstractions in SLE (I know so little about apparmor I wasn't even aware of it ;-)) so great I can remove this entry from sbin.nmbd on SLE and use abstraction
+++ old/usr.sbin.winbindd 2015-07-29 20:06:25.099322583 +0100
+ /etc/samba/smbd.tmp/** rwk, /etc/samba/smbd.tmp/msg/ rw, /etc/samba/smbd.tmp/msg/* rw,
That might be too much ;-)
fair enough
A quick test ("rcwinbindd start") shows missing k permissions for /etc/samba/smbd.tmp/msg/names.tdb. Therefore I propose:
(winbindd profile) - /etc/samba/smbd.tmp/msg/* rw, + /etc/samba/smbd.tmp/msg/* rwk,
Can you please check if this is enough? (If not, what are the actual filenames that need rwk permissions?)
I will check (will try to get back to you as soon as but.. currently I need to check SLE first) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 http://bugzilla.opensuse.org/show_bug.cgi?id=921098#c19 --- Comment #19 from Noel Power <nopower@suse.com> --- (In reply to Noel Power from comment #18)
(In reply to Christian Boltz from comment #17)
(In reply to Noel Power from comment #16) [...] Can you please check if this is enough? (If not, what are the actual filenames that need rwk permissions?)
It seems this is enough, thanks alot!! (at least with some quick testing here) I will try do some more testing later anyway fyi ls -lR /etc/samba/smbd.tmp/ /etc/samba/smbd.tmp/: total 0 drwx------ 1 root root 82 Jul 30 09:25 msg /etc/samba/smbd.tmp/msg: total 12 srwxrwxrwx 1 root root 0 Jul 29 20:21 msg.4469 srwxrwxrwx 1 root root 0 Jul 29 20:25 msg.5795 srwxrwxrwx 1 root root 0 Jul 29 20:28 msg.6123 srwxrwxrwx 1 root root 0 Jul 30 09:25 msg.7455 -rw-rw---- 1 root root 12288 Jul 30 09:25 names.tdb -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 http://bugzilla.opensuse.org/show_bug.cgi?id=921098#c22 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(nopower@suse.com) | --- Comment #22 from Christian Boltz <suse-beta@cboltz.de> --- Thanks! Fix commited upstream (trunk and 2.9 branch, will be in 2.10.1 and 2.9.3). I also added the patch to security:apparmor and will submit it to factory after the pending SR 318425 is accepted. BTW: I plan to submit AppArmor 2.10 to Leap (which has 2.8.x now) and also recommend to do this for SLE12 SP1. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=921098 http://bugzilla.opensuse.org/show_bug.cgi?id=921098#c23 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution|--- |FIXED --- Comment #23 from Christian Boltz <suse-beta@cboltz.de> --- Submitted to Factory - SR 320064. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com