abstractions/smbpass missing entry for /var/lib/samba/*.ldb

Bug #357581 reported by Thierry Carrez
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Unassigned
Intrepid
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: apparmor

Since 3.2 Samba makes use of LDB files in /var/lib/samba, most notably /var/lib/samba/group_mapping.ldb.

The /etc/apparmor.d/abstractions/smbpass file only allows access to /var/lib/samba/*.tdb files.

This results in the following cupsd audit logs:

kern.log:Apr 7 09:01:08 computername kernel: [325343.343568] type=1503 audit(1239087668.380:6): operation="inode_permission" requested_mask="rw::" denied_mask="rw::" fsuid=0 name="/var/lib/samba/group_mapping.ldb" pid=8300 profile="/usr/sbin/cupsd"

Note that this seems to be the root cause of another issue, the corruption of secrets.tdb with "ltdb: tdb((null)): tdb_open_ex: could not open file /var/lib/samba/group_mapping.ldb: Permission denied" messages that ultimately results in pam_smbpass.so segfaults locking the user out. This issue started to be reported in intrepid (which shipped 3.2) and seems to only affect Ubuntu (and to a lesser extent Debian) systems - that would make sense if it's a cupsd/apparmor-induced thing. See bug 292791, bug 303458 (and specifically the duplicate bug 356851) for more details on that.

Changed in apparmor (Ubuntu):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3+1289-0ubuntu14

---------------
apparmor (2.3+1289-0ubuntu14) jaunty; urgency=low

  * abstractions/smbpass: Add *.ldb used in Samba 3.2 and above (LP: #357581)

 -- Thierry Carrez <email address hidden> Wed, 08 Apr 2009 13:42:21 +0200

Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Steve Beattie (sbeattie) wrote : Re: [Bug 357581] [NEW] abstractions/smbpass missing entry for /var/lib/samba/*.ldb

On Wed, Apr 08, 2009 at 08:58:09AM -0000, Thierry Carrez wrote:
> Note that this seems to be the root cause of another issue, the
> corruption of secrets.tdb with "ltdb: tdb((null)): tdb_open_ex: could
> not open file /var/lib/samba/group_mapping.ldb: Permission denied"
> messages that ultimately results in pam_smbpass.so segfaults locking the
> user out. This issue started to be reported in intrepid (which shipped
> 3.2) and seems to only affect Ubuntu (and to a lesser extent Debian)
> systems - that would make sense if it's a cupsd/apparmor-induced thing.
> See bug 292791, bug 303458 (and specifically the duplicate bug 356851)
> for more details on that.

While it's a good thing that the apparmor abstraction was fixed, it
seems to me that there are still bugs here; whatever is corrupting
secrets.tdb should not be doing so if it does not have access to
/var/lib/samba/group_mapping.ldb, nor should pam_smbpass.so be segfaulting
if secrets.tdb is corrupt.

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/

Revision history for this message
pixeldoc (pixeldoc) wrote :

ubuntu Intrepid 8.10 is affected (at least if using cups via samba...)

/var/log/messages:
Jan 18 19:58:39 foo-srv cupsd: pam_sm_authenticate: Called
Jan 18 19:58:39 foo-srv cupsd: pam_sm_authenticate: username = [foo]
Jan 18 19:58:39 foo-srv cupsd: Error attempting to parse .ecryptfsrc file; rc = [-5]
Jan 18 19:58:39 foo-srv cupsd: Unable to read salt value from user's .ecryptfsrc file; using default
Jan 18 19:58:43 foo-srv kernel: [2945243.383955] type=1503 audit(1263841123.274:2033): operation="inode_permission" requested_mask="r::" denied_mask="r::" fsuid=1000 name="/home/foo/.ecryptfs/wrapped-passphrase" pid=20122 profile="/usr/sbin/cupsd"
Jan 18 19:58:43 foo-srv kernel: [2945243.648055] type=1503 audit(1263841123.534:2034): operation="inode_permission" requested_mask="rw::" denied_mask="rw::" fsuid=0 name="/var/lib/samba/group_mapping.ldb" pid=17608 profile="/usr/sbin/cupsd"
Jan 18 19:58:43 foo-srv kernel: [2945243.653133] type=1503 audit(1263841123.544:2035): operation="inode_permission" requested_mask="rw::" denied_mask="rw::" fsuid=0 name="/var/lib/samba/group_mapping.ldb" pid=17608 profile="/usr/sbin/cupsd"

/var/log/cups/error_log:
ltdb: tdb((null)): tdb_open_ex: could not open file /var/lib/samba/group_mapping.ldb: Permission denied
Unable to open tdb '/var/lib/samba/group_mapping.ldb'
Failed to connect to '/var/lib/samba/group_mapping.ldb'
ltdb: tdb((null)): tdb_open_ex: could not open file /var/lib/samba/group_mapping.ldb: Permission denied
Unable to open tdb '/var/lib/samba/group_mapping.ldb'
Failed to connect to '/var/lib/samba/group_mapping.ldb'

No corruption in /var/lib/samba/secrets.tdb yet.

But cups is VERY slow, because of this access violation...

i've attached an ubuntu 8.10 diff for apparmor_2.3+1289-0ubuntu4 .

Thierry Carrez (ttx)
Changed in apparmor (Ubuntu Intrepid):
status: New → Triaged
Revision history for this message
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the report. The bug has been fixed in newer releases of Ubuntu.

Changed in apparmor (Ubuntu Intrepid):
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.