abstractions/smbpass missing entry for /var/lib/samba/*.ldb

Bug #357581 reported by Thierry Carrez on 2009-04-08
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned
Intrepid
Undecided
Unassigned

Bug Description

Binary package hint: apparmor

Since 3.2 Samba makes use of LDB files in /var/lib/samba, most notably /var/lib/samba/group_mapping.ldb.

The /etc/apparmor.d/abstractions/smbpass file only allows access to /var/lib/samba/*.tdb files.

This results in the following cupsd audit logs:

kern.log:Apr 7 09:01:08 computername kernel: [325343.343568] type=1503 audit(1239087668.380:6): operation="inode_permission" requested_mask="rw::" denied_mask="rw::" fsuid=0 name="/var/lib/samba/group_mapping.ldb" pid=8300 profile="/usr/sbin/cupsd"

Note that this seems to be the root cause of another issue, the corruption of secrets.tdb with "ltdb: tdb((null)): tdb_open_ex: could not open file /var/lib/samba/group_mapping.ldb: Permission denied" messages that ultimately results in pam_smbpass.so segfaults locking the user out. This issue started to be reported in intrepid (which shipped 3.2) and seems to only affect Ubuntu (and to a lesser extent Debian) systems - that would make sense if it's a cupsd/apparmor-induced thing. See bug 292791, bug 303458 (and specifically the duplicate bug 356851) for more details on that.

Changed in apparmor (Ubuntu):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3+1289-0ubuntu14

---------------
apparmor (2.3+1289-0ubuntu14) jaunty; urgency=low

  * abstractions/smbpass: Add *.ldb used in Samba 3.2 and above (LP: #357581)

 -- Thierry Carrez <email address hidden> Wed, 08 Apr 2009 13:42:21 +0200

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released

On Wed, Apr 08, 2009 at 08:58:09AM -0000, Thierry Carrez wrote:
> Note that this seems to be the root cause of another issue, the
> corruption of secrets.tdb with "ltdb: tdb((null)): tdb_open_ex: could
> not open file /var/lib/samba/group_mapping.ldb: Permission denied"
> messages that ultimately results in pam_smbpass.so segfaults locking the
> user out. This issue started to be reported in intrepid (which shipped
> 3.2) and seems to only affect Ubuntu (and to a lesser extent Debian)
> systems - that would make sense if it's a cupsd/apparmor-induced thing.
> See bug 292791, bug 303458 (and specifically the duplicate bug 356851)
> for more details on that.

While it's a good thing that the apparmor abstraction was fixed, it
seems to me that there are still bugs here; whatever is corrupting
secrets.tdb should not be doing so if it does not have access to
/var/lib/samba/group_mapping.ldb, nor should pam_smbpass.so be segfaulting
if secrets.tdb is corrupt.

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/

pixeldoc (pixeldoc) wrote :

ubuntu Intrepid 8.10 is affected (at least if using cups via samba...)

/var/log/messages:
Jan 18 19:58:39 foo-srv cupsd: pam_sm_authenticate: Called
Jan 18 19:58:39 foo-srv cupsd: pam_sm_authenticate: username = [foo]
Jan 18 19:58:39 foo-srv cupsd: Error attempting to parse .ecryptfsrc file; rc = [-5]
Jan 18 19:58:39 foo-srv cupsd: Unable to read salt value from user's .ecryptfsrc file; using default
Jan 18 19:58:43 foo-srv kernel: [2945243.383955] type=1503 audit(1263841123.274:2033): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=1000 name="/home/foo/.ecryptfs/wrapped-passphrase" pid=20122 profile="/usr/sbin/cupsd"
Jan 18 19:58:43 foo-srv kernel: [2945243.648055] type=1503 audit(1263841123.534:2034): operation="inode_permission" requested_mask="rw::" denied_mask="rw::" fsuid=0 name="/var/lib/samba/group_mapping.ldb" pid=17608 profile="/usr/sbin/cupsd"
Jan 18 19:58:43 foo-srv kernel: [2945243.653133] type=1503 audit(1263841123.544:2035): operation="inode_permission" requested_mask="rw::" denied_mask="rw::" fsuid=0 name="/var/lib/samba/group_mapping.ldb" pid=17608 profile="/usr/sbin/cupsd"

/var/log/cups/error_log:
ltdb: tdb((null)): tdb_open_ex: could not open file /var/lib/samba/group_mapping.ldb: Permission denied
Unable to open tdb '/var/lib/samba/group_mapping.ldb'
Failed to connect to '/var/lib/samba/group_mapping.ldb'
ltdb: tdb((null)): tdb_open_ex: could not open file /var/lib/samba/group_mapping.ldb: Permission denied
Unable to open tdb '/var/lib/samba/group_mapping.ldb'
Failed to connect to '/var/lib/samba/group_mapping.ldb'

No corruption in /var/lib/samba/secrets.tdb yet.

But cups is VERY slow, because of this access violation...

i've attached an ubuntu 8.10 diff for apparmor_2.3+1289-0ubuntu4 .

Thierry Carrez (ttx) on 2010-01-19
Changed in apparmor (Ubuntu Intrepid):
status: New → Triaged
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the report. The bug has been fixed in newer releases of Ubuntu.

Changed in apparmor (Ubuntu Intrepid):
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers