Mailinglist Archive: opensuse-bugs (4067 mails)

< Previous Next >
[Bug 688040] apparmor profile denies smbd access to the shared folder

https://bugzilla.novell.com/show_bug.cgi?id=688040

https://bugzilla.novell.com/show_bug.cgi?id=688040#c8


Christian Boltz <suse-beta@xxxxxxxxx> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |NEEDINFO
InfoProvider| |lmuelle@xxxxxxxxxx

--- Comment #8 from Christian Boltz <suse-beta@xxxxxxxxx> 2011-08-21 17:45:16
CEST ---
(In reply to comment #7)
(In reply to comment #2)
Agreed. It would still be worth some bonus points if the samba initscript
would auto-generate a profile sniplet with the path of all shares ;-)

Although attractive, this method is far from a silver bullet. As Lars
described on the opensuse-factory ML, Samba share definitions can be updated
with various actions: process restart, SIGHUP, smbcontrol message and
registry
change.

Yes, I've seen his mail - however I'd say this is where things get scary ;-)

Basically I see two options:
a) parse smb.conf to create an apparmor profile sniplet (without the
"dynamicly" created shares)
b) let Samba itsself update the profile sniplet
c) (did I miss another option?)

b) might sound like the better solution, but comes with the risk that someone
exploits Samba and then raise his privileges.
With a) he would at least have to modify smb.conf and re-run the initscript to
update the apparmor profile sniplet, which is much more difficult to exploit
IMHO.

Lars, what is your opinion about this?

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >