Mailinglist Archive: opensuse-factory (1029 mails)

< Previous Next >
Re: [opensuse-factory] Let's keep acroread for pure reasons of usability.
Hello,

Am Freitag, 8. November 2013 schrieb Carlos E. R.:
On Thursday, 2013-11-07 at 23:20 +0100, Christian Boltz wrote:
Am Donnerstag, 7. November 2013 schrieb Carlos E. R.:

Anyway, I'll attach my AppArmor profile for acroread. It's not as
tight as it could be (and I'll probably do some changes to it now
that I know acroread won't get security updates anymore), but it's
a good start. Be warned that you will need to change it - for
example I'm quite sure your home directory is not /home/cb/ ;-)

It is a start, thanks.

Now that I think, the yast apparmour wizard has disappeared, so it is
more difficult to adjust profiles.

Hmm, I didn't check the YaST module for a long time (I never use it),
but the changelog says you are right:

* Mo Aug 19 2013 jreidinger@xxxxxxxx
- fix broken dialog in edit profiles
- drop reporting and profile generation tools (FATE#308684,308683)

Needless to say that both FATE entries are non-public :-( which means I
don't know any details why this was done. The only thing I know is that
the changelog entry is partly wrong - the "reporting" part was already
disabled in 2011 because of upstream changes.

In the remaining part, I even found a crash :-( (-> bug 849571)

That said - you don't need YaST to update the profiles ;-) - the
commandline tools work as good as always.

To update an existing profile, run aa-logprof
It will ask you in the same way YaST did, the only difference is that
you need to use your keyboard instead of your mouse ;-)

New profiles can be created with aa-genprof.

Note: the profile only covers the binary, not the wrapper script.

Which is that?

That's easy to find out ;-)

# which acroread
# ls -l `which acroread`
(and then follow the symlink)

Or just run aa-genprof acroread to create a profile ;-)
Note: AFAIK the wrapper script uses LD_PRELOAD when starting the real
binary, which means you should _not_ clean the environment when the
binary is executed ("px" instead of "Px" in the profile)

That all said: The most secure solution is of course to use a maintained
PDF reader like Okular, but if you really _have to_ use acroread for
some reason, it's more secure (or should I say less exploitable with an
AppArmor profile.

If the danger is in the Firefox plugin, for instance, that can be
removed with less trouble.

Indeed, just zypper rm acroread-browser-plugin

I'd strongly recommend to do that (guess who split off this
subpackage, and why... ;-)

No idea...

You can blame me for the subpackage ;-)


Regards,

Christian Boltz
--
CPU&-Register: die Person (mit Kurzzeitgedaechnis)
Ich darf doch schwer bitten. Wenn ich morgens aufwache, brauche ich
nicht erst Aktenordner durchzulesen. Ich kann mich auch so erinnern.
[> David Haller und Bernd Brodesser in suse-linux]

--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
This Thread