Ubuntu
ufw package

app profile rules cannot be deleted once app package has been removed from system

Bug #407810 reported by Brewster Malevich
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ufw
Fix Released
Medium
Jamie Strandboge
ufw (Ubuntu)
Fix Released
Medium
Jamie Strandboge

Bug Description

Binary package hint: ufw

On Ubuntu Server 9.04 (I suppose this would apply to any Ubuntu install up to 9.04, but have not tested this):

(0) enable ufw
(1) install (for example) package 'samba' and all of its dependencies.
(2) run command: sudo ufw allow Samba
(3) uninstall samba packages

The result is that the app rule added to ufw cannot be deleted or modified through the command line.

Solution: Install 'samba' packages again, delete the app rule from ufw, and ~then~ remove the package 'samba'.

This seems a bit flawed, perhaps we could have some way to remove ufw rules after a package has been removed...? I think we may be taking too much liberty by making an 'app rule deletion' automatic.

See original description

Related branches

lp:ubuntu/karmic/ufw
Brewster Malevich (brews)
tags: added: apt package ufw uninstall
summary: - app profiles cannot be removed once app package has been removed from
- computer
+ app profile rules cannot be deleted once app package has been removed
+ from system
Revision history for this message
Andreas Olsson (andol) wrote :

I can confirm this problem in Karmic and ufw 0.27.1-2.

Perhaps having application profiles in use being copied to a special cache directory might be a solution.

Changed in ufw (Ubuntu):
status: New → Confirmed
Brewster Malevich (brews)
description: updated
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for using Ubuntu and taking the time to report a bug. I can confirm this. I think removing the rule automatically is the wrong way to go. For example, someone has apache2 installed and uses the app rule. Then, at some later point installs boa, which uninstalls apache but does not supply an app profile. Removing the rule automatically would break this setup.

The best thing is to simply allow the removal of the rule even if the profile doesn't exist. I think it worked this way in intrepid (I need to check) and regressed in a later version.

Changed in ufw (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
status: Confirmed → Triaged
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was introduced when fixing bug #263757. I'll fix this for Karmic and 0.29. 9.04 users can work around this by editing /var/lib/user*.rules by hand and deleting the stanza (ie the tuplet and corresponding rules) for the deleted app rule, then reload the firewall.

Changed in ufw (Ubuntu):
status: Triaged → In Progress
Jamie Strandboge (jdstrand)
Changed in ufw:
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Medium
status: New → In Progress
Jamie Strandboge (jdstrand)
Changed in ufw:
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ufw - 0.29-0ubuntu1

---------------
ufw (0.29-0ubuntu1) karmic; urgency=low

  * new upstream release:
    - adds egress filtering support (LP: #382932)
    - new translations
    - new man page: ufw-framework.8
    - new check-requirements to help debug systems with custom kernels
    - fixes deletion of non-existent application rules (LP: #407810)
  * Debconf translation updates:
    - Galician (thanks to Marce Villarino. closes: #538383)
    - Japanese (thanks to Hideki Yamane. closes: #539595)
    - Italian (thanks to Luca Monducci. closes: #540204)
    - Portuguese (thanks to Américo Monteiro. closes: #538908)
    - Basque (thanks to Piarres Beobide. closes: #539077)
    - Czech (thanks to Michal Simunek)
    - Slovak (thanks to Ivan Masár. closes: #534450)
    - Swedish (thanks to Martin Bagge. closes: #538336)
    - verify/update the above to fix typo in template (closes: #534231)
  * debian/rules: install tests/check-requirements into /usr/share/ufw
  * update ucf md5sums for before.rules and before6.rules
  * remove no longer used lintian override
  * debian/dirs: remove unused /var/lib/ufw

 -- Jamie Strandboge <email address hidden> Tue, 25 Aug 2009 09:12:26 -0500

Changed in ufw (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Fixed in 0.29

Changed in ufw:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.