Mailinglist Archive: opensuse-factory (1029 mails)

< Previous Next >
Re: [opensuse-factory] Let's keep acroread for pure reasons of usability. - using AA on acroread
  • From: "Carlos E. R." <robin.listas@xxxxxxxxxxxxxx>
  • Date: Fri, 8 Nov 2013 14:34:24 +0100 (CET)
  • Message-id: <alpine.LNX.2.00.1311081425200.19793@Telcontar.valinor>
Hash: SHA1

On Friday, 2013-11-08 at 13:41 +0100, Christian Boltz wrote:

Now that I think, the yast apparmour wizard has disappeared, so it is
more difficult to adjust profiles.

Hmm, I didn't check the YaST module for a long time (I never use it),
but the changelog says you are right:

* Mo Aug 19 2013 jreidinger@xxxxxxxx
- fix broken dialog in edit profiles
- drop reporting and profile generation tools (FATE#308684,308683)

Needless to say that both FATE entries are non-public :-( which means I
don't know any details why this was done. The only thing I know is that
the changelog entry is partly wrong - the "reporting" part was already
disabled in 2011 because of upstream changes.

In the remaining part, I even found a crash :-( (-> bug 849571)


That said - you don't need YaST to update the profiles ;-) - the
commandline tools work as good as always.

To update an existing profile, run aa-logprof
It will ask you in the same way YaST did, the only difference is that
you need to use your keyboard instead of your mouse ;-)

I'll try... never used those, as far as I remember.

New profiles can be created with aa-genprof.

Note: the profile only covers the binary, not the wrapper script.

Which is that?

That's easy to find out ;-)

# which acroread
# ls -l `which acroread`
(and then follow the symlink)

Ah, ok, I understand.

cer@Telcontar:~> file /usr/lib/Adobe/Reader9/bin/acroread
/usr/lib/Adobe/Reader9/bin/acroread: POSIX shell script, ASCII text executable

I didn't realise there was a script involved. And the script is provided by openSUSE, because I see refrences to bugzillas in it. So, in order to install adobe from "upstream", I would still need to keep the script from a previous install. :-(

Hum... the script says copyright be Adobe... I don't understand.

Or just run aa-genprof acroread to create a profile ;-)
Note: AFAIK the wrapper script uses LD_PRELOAD when starting the real
binary, which means you should _not_ clean the environment when the
binary is executed ("px" instead of "Px" in the profile)


That all said: The most secure solution is of course to use a maintained
PDF reader like Okular, but if you really _have to_ use acroread for
some reason, it's more secure (or should I say less exploitable with an
AppArmor profile.

Oh, yes. I seldom use acroread, in fact.

If the danger is in the Firefox plugin, for instance, that can be
removed with less trouble.

Indeed, just zypper rm acroread-browser-plugin

I'd strongly recommend to do that (guess who split off this
subpackage, and why... ;-)

No idea...

You can blame me for the subpackage ;-)


- -- Cheers,
Carlos E. R.
(from 12.3 x86_64 "Dartmouth" at Telcontar)

Version: GnuPG v2.0.19 (GNU/Linux)

To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >
This Thread