Ubuntu
evince package

When saving a copy save dialog cannot create directory on nfs share (due to apparmor)

Bug #1889091 reported by 1448412
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
evince (Ubuntu)
Confirmed
Low
Unassigned

Bug Description

Hi,

i stumbled upon a weird oddity with evince...

# Steps creating the problem

1. I downloaded a pdf document from the internet using firefox.
2. Firefox offered to open the pdf in a document reader
3. Evince opened and displayed the pdf (correctly)
4. I used the hamburger menu and choose "Speichern unter" ("save as")
5. Filedialog opened. I navigated to an nfs mounted directory.
6. I ordered "Ordner anlegen" ("create folder") via the + symbol
7. I am prompted for the name of the new folder
8. It sais: "Der Ordner kann nicht angelegt werden -- Fehler beim ERstellen des Ordners <...> Keine Berechtigung" ("The folder cannot be created - Error creating the folder -- Not Authorized"
9. If I go to the terminal and mkdir the folder is created all right. (I expected that the directory would be created -- if chmod is set correctly and the shell can do it evince should also be able to do it...)

# More info

My `/etc/fstab` reads as follows:

```
# /etc/fstab: static file system information.
#
# <file sys> <mount point> <type> <options> <dump> <pass>

192.168.178.52:/home /nfs nfs noauto,user,exec 0 0
<...>
```

192.168.178.52 (nathan) uses the kernel-nfs-server and the following `/etc/exports`-file:
```
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
# Example for NFSv2 and NFSv3:
# /srv/homes hostname1(rw,sync,no_subtree_check) hostname2(ro,sync,no_subtree_check)
#
# Example for NFSv4:
# /srv/nfs4 gss/krb5i(rw,sync,fsid=0,crossmnt,no_subtree_check)
# /srv/nfs4/homes gss/krb5i(rw,sync,no_subtree_check)
#
# /etc/exports: the access control list for filesystems which may be exported
# to NFS clients. See exports(5).
#
/home/ *(rw,sync,insecure,no_root_squash)
<...>
```

Which is surely not too strict but rather to permissive... :o/

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: evince 3.36.5-0ubuntu1
ProcVersionSignature: Ubuntu 5.4.0-42.46-generic 5.4.44
Uname: Linux 5.4.0-42-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.3
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: Budgie:GNOME
Date: Mon Jul 27 16:12:17 2020
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=de_DE.UTF-8
 SHELL=/bin/zsh
SourcePackage: evince
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
1448412 (uli-rgbg) wrote :
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thank you for your bug report. The fileselector is from GTK, it should have the same issue in other applications unless it's the apparmor profile blocking the access ... could you do

$ journalctl -f

try to create the directory and copy any warning or error printed in the log?

Changed in evince (Ubuntu):
importance: Undecided → Low
status: New → Incomplete
Revision history for this message
Sebastien Bacher (seb128) wrote :

you could also try to disabling the apparmor profile with

$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.evince

Revision history for this message
1448412 (uli-rgbg) wrote : Re: [Bug 1889091] Re: When saving a copy save dialog cannot create directory on nfs share

Hi Sebastian,

thanks for your help!

Yeah, you're right to the spot! It seems to be an apparmor issue...

sudo journalctl -f sais:

---8<----
-- Logs begin at Sun 2020-07-05 15:29:58 CEST. --
Jul 28 10:17:43 Edgar audit[51782]: AVC apparmor="DENIED" operation="open"
profile="/usr/bin/evince" name="/nfs/ulrich/Desktop/.DS_Store" pid=51782
comm="pool-evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 28 10:17:43 Edgar audit[51782]: AVC apparmor="DENIED" operation="open"
profile="/usr/bin/evince" name="/nfs/ulrich/Desktop/._.DS_Store" pid=51782
comm="pool-evince" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Jul 28 10:17:46 Edgar audit[51782]: AVC apparmor="DENIED" operation="mkdir"
profile="/usr/bin/evince" name="/nfs/ulrich/Desktop/test/" pid=51782
comm="evince" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Jul 28 10:18:06 Edgar systemd[1]: systemd-hostnamed.service: Succeeded.
Jul 28 10:19:23 Edgar budgie-panel[2798]: relevancy-backend-zg.vala:113:
GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name
org.gnome.zeitgeist.Engine was not provided by any .service files
Jul 28 10:19:23 Edgar budgie-panel[2798]: relevancy-backend-zg.vala:197:
GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name
org.gnome.zeitgeist.Engine was not provided by any .service files
Jul 28 10:19:27 Edgar sudo[51967]: pam_unix(sudo:auth): Couldn't open
/etc/securetty: Datei oder Verzeichnis nicht gefunden
Jul 28 10:19:30 Edgar sudo[51967]: pam_unix(sudo:auth): Couldn't open
/etc/securetty: Datei oder Verzeichnis nicht gefunden
Jul 28 10:19:30 Edgar sudo[51967]: kevin : TTY=pts/1 ;
PWD=/home/kevin/mnt ; USER=root ; COMMAND=/usr/bin/journalctl -f
Jul 28 10:19:30 Edgar sudo[51967]: pam_unix(sudo:session): session opened
for user root by (uid=0)

Jul 28 10:20:21 Edgar wpa_supplicant[1209]: wlp58s0: WPA: Group rekeying
completed with e8:df:70:31:e9:67 [GTK=CCMP]
---->8-----

Thanks and best regards,

Ulrich.

Am Mo., 27. Juli 2020 um 18:25 Uhr schrieb Sebastien Bacher <
<email address hidden>>:

> Thank you for your bug report. The fileselector is from GTK, it should
> have the same issue in other applications unless it's the apparmor
> profile blocking the access ... could you do
>
> $ journalctl -f
>
> try to create the directory and copy any warning or error printed in the
> log?
>
> ** Changed in: evince (Ubuntu)
> Importance: Undecided => Low
>
> ** Changed in: evince (Ubuntu)
> Status: New => Incomplete
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1889091
>
> Title:
> When saving a copy save dialog cannot create directory on nfs share
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1889091/+subscriptions
>

Revision history for this message
1448412 (uli-rgbg) wrote :

Hello Sebastian,

as soo as I issue

$ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.evince

evince can create directories again! I did not even have to restart
evince...

Best regards,

Ulrich

Am Mo., 27. Juli 2020 um 18:25 Uhr schrieb Sebastien Bacher <
<email address hidden>>:

> you could also try to disabling the apparmor profile with
>
> $ sudo apparmor_parser -R /etc/apparmor.d/usr.bin.evince
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1889091
>
> Title:
> When saving a copy save dialog cannot create directory on nfs share
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/evince/+bug/1889091/+subscriptions
>

Revision history for this message
Sebastien Bacher (seb128) wrote :

Great, I'm not sure what's the right fix but if you want to just disable the apparmor profile for evince you can symlinks /etc/apparmor.d/usr.bin.evince in /etc/apparmor.d/disable

Changed in evince (Ubuntu):
status: Incomplete → New
status: New → Confirmed
summary: - When saving a copy save dialog cannot create directory on nfs share
+ When saving a copy save dialog cannot create directory on nfs share (due
+ to apparmor)
Revision history for this message
Seth Arnold (seth-arnold) wrote :

That'll change evince's profile but leave everything else that uses @{HOME} broken.

Edit /etc/apparmor.d/tunables/home.d/site.local to match your local configuration for home directory storage, and then run sudo apparmor_parser --replace /etc/apparmor.d/ -- this will reload the system-managed profiles but not profiles managed by other services. (A reboot will reload whatever ought to be reloaded at boot, but that might be inconvenient.)

Thanks

Revision history for this message
Sebastien Bacher (seb128) wrote :

@Seth, thanks, it sounded like from the description that the nfs mount isn't the userdir, just another location available on the system, is the tweak you suggest still right in that context?

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Sebastien, it's hard to be confident one way or another; @{HOME} was indeed written with the usual assumptions around home directories and it is likely to be used that way in profiles, written both by AppArmor upstream, Debian, Ubuntu, and whatever else profiles may be installed and in use.

I'm sorry I can't be definitive, but it'd probably take a lot more context to be sure.

Thanks

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.