sshd profile does not work out-of-the-box

Bug #228229 reported by Joseph Mark Jarvis on 2008-05-08
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)

Bug Description

Binary package hint: apparmor-profiles

The apparmor profile for sshd provided by the apparmor-profiles package does not work out-of-the-box. Looking over syslog, it appears there are seven types of audit entries (one of each follows). Until this is fixed, the usr.sbin.sshd file in apparmor-profiles should have "flags=(complain)" added to it.

May 8 08:23:26 darwin kernel: [136857.839011] audit(1210249406.803:56): type=1502 operation="inode_permission" requested_mask="r::" denied_mask="r::" name="/etc/default/locale" pid=21377 profile="/usr/sbin/sshd" namespace="default"

May 8 08:23:29 darwin kernel: [136860.663589] audit(1210249409.633:71): type=1502 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/etc/default/locale" pid=21377 profile="/usr/sbin/sshd" namespace="default"

May 8 08:23:26 darwin kernel: [136857.842204] audit(1210249406.803:58): type=1502 operation="inode_permission" requested_mask="r::" denied_mask="r::" name="/proc/filesystems" pid=21375 profile="/usr/sbin/sshd" namespace="default"

May 8 08:23:26 darwin kernel: [136857.839817] audit(1210249406.803:57): type=1502 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/proc/filesystems" pid=21377 profile="/usr/sbin/sshd" namespace="default"

May 8 09:33:21 darwin kernel: [141051.379421] audit(1210253601.703:83): type=1502 operation="file_lock" requested_mask="k::" denied_mask="k::" name="/var/log/wtmp" pid=21412 profile="/usr/sbin/sshd" namespace="default"

May 8 08:23:26 darwin kernel: [136857.837856] audit(1210249406.803:55): type=1502 operation="inode_permission" requested_mask="r::" denied_mask="r::" name="/var/run/motd" pid=21377 profile="/usr/sbin/sshd" namespace="default"

May 8 09:59:43 darwin kernel: [142632.555690] audit(1210255183.393:84): type=1502 operation="file_lock" requested_mask="k::" denied_mask="k::" name="/var/run/utmp" pid=21412 profile="/usr/sbin/sshd" namespace="default"

Related branches

Jürgen Kreileder (jk) wrote :

AFAIK Ubuntu's sshd doesn't have the change_hat patch. That makes confining somewhat useless.

Timo Aaltonen (tjaalton) wrote :

moving to openssh, since the patch is needed there?

(I'm currently evaluating apparmor, so would like to confine sshd)

Timo Aaltonen (tjaalton) wrote :

And back to apparmor.. The profile does need some changes, but no modifications to openssh AIUI. Here's what I had to add:

  /etc/default/locale r,
  /var/cache/nscd/group r,
  /var/cache/nscd/passwd r,
  /etc/selinux/config r,
  /etc/selinux/default/seusers r,
  /etc/krb5.conf r,
  /etc/krb5.keytab k,
  /proc/filesystems r,
  /var/tmp/host_* rw,
  /var/run/motd r,
  /bin/dash Ux,
  /bin/zsh4 Ux,
  /tmp/krb5cc_* wk,
  capability dac_override,

some of those should probably be in abstractions/*

Changed in openssh:
importance: Undecided → Low
status: New → Confirmed
Timo Aaltonen (tjaalton) wrote :

sorry, openssh tries to open krb5.conf with 'w::' mask for some reason, so in order to avoid these messages

type=APPARMOR_DENIED msg=audit(1233663334.360:7469): operation="inode_permission" requested_mask="w::" denied_mask="w::" fsuid=0 name="/etc/krb5.conf" pid=17575 profile="/usr/sbin/sshd"

it should have rw. 'r' is already set in abstractions/kerberosclient.

Seth Arnold (seth-arnold) wrote :

I disagree with Timo's assessment; the attempt to write to /etc/krb5.conf is from an access(2) check to _see_ if the file is writable. If the file _is_ writable, then the sshd server knows Kerberos is mis-configured and will _fail_. Of course, most of the time, the standard Unix DAC checks will forbid the write access, and sshd continues normally.

Perhaps abstractions/kerberosclient should be amended to have a deny rule for /etc/krb5.conf w, to silence this needless noise.

Sadly, the kernel LSM design doesn't allow LSM modules to know the difference between open("file", O_RDWR) and access('file", R_OK|W_OK); both result in the same call to an LSM module. (Which makes a certain amount of sense, but does mean polluting profiles with explicit 'deny' rules on access() checks done for safety's sake.)

Simon Déziel (sdeziel) wrote :

I'm not using Kerberos here but I found the profiles from apparmor-profiles to still lack a few bits in Precise. I've attached the patch to get a working profile. The only thing that didn't work in my testing is SFTP when using "Subsystem sftp internal-sftp".

The attachment "Add missing capabilities/rules for usr.sbin.sshd" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Steve Beattie (sbeattie) wrote :


Thanks for the patch to the sshd profile. After reviewing it and updating it to take into account of a couple of upstream changes to the profile, I've applied it to lp:apparmor, and will be included in the next major AppArmor release. It should also make it into Ubuntu 13.04.


Changed in apparmor (Ubuntu):
status: Confirmed → Fix Committed
status: Fix Committed → Triaged
Changed in apparmor:
status: New → Fix Committed
importance: Undecided → Medium
Steve Beattie (sbeattie) on 2014-04-11
Changed in apparmor:
milestone: none → 2.9.0
Steve Beattie (sbeattie) wrote :

This has been fixed in Ubuntu in the pending 14.04 LTS release.

Changed in apparmor (Ubuntu):
status: Triaged → Fix Released
Steve Beattie (sbeattie) wrote :

Apparmor 2.9.0 has been released; closing.

Changed in apparmor:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers