Endless stream of useless audit messages from smbd

Bug #440822 reported by Jeffrey Baker
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: samba

In karmic, samba now produces an endless stream of "audit" messages in dmesg. See dmesg.txt attached to this report. I have also taken an strace log of the process in question, and I don't see any permission denied or access errors in there.

The main problem I have with this output is it's useless. It doesn't tell me anything about the file or other object that was supposedly accessed.

ProblemType: Bug
Architecture: amd64
Date: Fri Oct 2 12:03:31 2009
DistroRelease: Ubuntu 9.10
NonfreeKernelModules: fglrx
Package: samba 2:3.4.0-3ubuntu4
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-11.36-generic
SourcePackage: samba
Uname: Linux 2.6.31-11-generic x86_64

Revision history for this message
Jeffrey Baker (jwbaker) wrote :
Revision history for this message
Jeffrey Baker (jwbaker) wrote :
Revision history for this message
Jeffrey Baker (jwbaker) wrote :
Chuck Short (zulcss)
affects: samba (Ubuntu) → apparmor (Ubuntu)
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. You seem to have the apparmor-profiles packages installed, and the messages you see are hex-encoded due to 'unsafe' characters in the filename. Eg:
2F617263686976652F4D757369632F44617665204272756265636B2D4A617A7A20436F6C6C656374696F6E2028646973632031292F30392047656F72676961206F6E204D79204D696E642E666C6163

is:
/archive/Music/Dave Brubeck-Jazz Collection (disc 1)/09 Georgia on My Mind.flac

You need to update your profile for smbd in /etc/apparmor.d/usr.sbin.smbd to allow access to these files. If you would prefer not to confine smbd, you may alternatively disable the profile with:
$ sudo apparmor_parser -R /etc/apparmor.d/usr.sbin.smbd
$ sudo ln -s /etc/apparmor.d/usr.sbin.smbd /etc/apparmor.d/disable/usr.sbin.smbd

The first operation unloads the profile from the kernel and the second disables the profile on boot.

Changed in apparmor (Ubuntu):
status: New → Won't Fix
Revision history for this message
Jeffrey Baker (jwbaker) wrote :

Thanks for the information. I think you misunderstand the problem. The problem is simply the messages; samba has no trouble reading and serving the file to clients. But while it does so, it produces these numerous audit messages. That's why the messages seem spurious to me.

Changed in apparmor (Ubuntu):
status: Won't Fix → New
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

I didn't misunderstand the problem. You seem to have apparmor-profiles installed. This installs a complain-mode only profile for smbd, which will allow access to the files but will complain for files not allowed in the profile. You must adjust the profile or disable it.

Changed in apparmor (Ubuntu):
status: New → Won't Fix
Revision history for this message
Jeffrey Baker (jwbaker) wrote :

I note that silly defaults are not considered bugs over at Canonical.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This isn't a silly default. apparmor-profiles is a package in universe and is not installed by default. You must necessarily adjust the apparmor profile for it to work with your samba installation. None of the profiles in apparmor-profiles are in enforce mode. They are there for administrators to evaluate and decide if they want to use them on their machines. Feel free to adjust the profile, disable the profile or remove the package.

For more information on the different types of apparmor profiles, see https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/AppArmorProfiles.

Revision history for this message
Jeffrey Baker (jwbaker) wrote :

I didn't install apparmor-profiles, ever. It got dragged in at some point by ntp or bind9. So you see your logic is not really true. I get the annoying behavior through no doing of my own.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.