Samba profile in Lucid prevents smbd from accessing /srv/samba

Bug #545061 reported by Yann Hamon
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Triaged
Wishlist
Unassigned

Bug Description

Binary package hint: apparmor

Official documentation for 9.10 ( https://help.ubuntu.com/9.10/serverguide/C/samba-fileserver.html ) recommends to create folders to share in /srv/samba/ - however, it seems that the apparmor profile for smbd is preventing it to access that folder, therefore making it impossible to share folders in that folder unless the smbd profile is turned off or in complain mode.

Maybe a warning in smb.conf about apparmor restricting the folders smbd can share would be worth it too? I can imagine quite a few people having issues sharing folders outside of /srv, not imagining apparmor would be blocking that :)

Tags: aa-policy
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for using Ubuntu and reporting a bug. The smbd profile is part of the apparmor-profiles package, which when installed sets the profile into complain mode. As such, if a user is using samba and has apparmor-profiles installed, then at worst there will be noise in the logs. We should provide a better profile for smbd, and this is on the Ubuntu Security team's roadmap: https://wiki.ubuntu.com/SecurityTeam/Roadmap#AppArmor%20Confinement

Until we ship a profile in the default Samba install, I don't think we should consider adding anything to the smb.conf file.

Changed in apparmor (Ubuntu):
importance: Undecided → Wishlist
status: New → Triaged
tags: added: aa-policy
Revision history for this message
Christian Boltz (cboltz) wrote :

openSUSE uses a script to update the smbd profile based on the samba config - with the advantage for users that it "just works"[tm] and the advantage for me that I don't get bugreports about the smbd profile anymore ;-)

Maybe Ubuntu wants to steal ;-) this script?

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Ubuntu could consider something like this, possibly be updating the file in /etc/apparmor.d/local or a tunable.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.