apparmor doesn't allow access to kerberos keytab

Bug #189022 reported by Jelmer Vernooij on 2008-02-04
Affects Status Importance Assigned to Milestone
cupsys (Ubuntu)
Jelmer Vernooij

Bug Description

  affects /ubuntu/cupsys

The default apparmor configuration file for cupsd in
/etc/apparmor.d/usr.sbin.cupsys does not allow access to any
Kerberos keytabs.

The following patch fixes it for me:

--- usr.sbin.cupsd.dpkg-dist 2008-01-10 10:20:17.000000000 +0100
+++ usr.sbin.cupsd 2007-10-29 16:27:20.000000000 +0100
@@ -102,8 +80,12 @@

   # FIXME: no policy ATM for hplip
   /usr/bin/hpijs Ux,
   /usr/lib/cups/backend/hp Ux,
   /usr/lib/cups/backend/hpfax Ux,
+ # Kerberos authentication
+ /etc/krb5.conf rw,
+ /etc/cups/krb5.keytab k,

 # separate profile since this needs to write into /home

Till Kamppeter (till-kamppeter) wrote :

I added your patch to the AppArmor profile in the SVN repository for CUPS, so it will be added to the next cupsys package. Thank you for the patch, Jelmer.

Changed in cupsys:
importance: Undecided → Medium
milestone: none → ubuntu-8.04-beta
status: New → In Progress
Changed in cupsys:
status: In Progress → Fix Committed
Martin Pitt (pitti) wrote :

This patch does not really look valid. There is no access mode 'k', and there should be no need for cupsys to write /etc/krb5.conf. I guess the invalid mode broke the entire profile and thus your cupsys isn't covered by AppArmor at all?

I changed the package to have read-only access to /etc/krb5.conf and read-write access to /etc/cups/krb5.keytab. Please let us know if you still have problems with the version I'm going to upload within the hour.

Thank you!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cupsys - 1.3.5-2ubuntu1

cupsys (1.3.5-2ubuntu1) hardy; urgency=low

  * debian/local/apparmor-profile: Added Kerberos authentication support
    to the AppArmor profile (LP: #189022).

cupsys (1.3.5-2) unstable; urgency=low

  [ Martin Pitt ]
  * debian/cupsys.init.d: Add Should-Start: avahi. (Closes: #459662)

  [ Till Kamppeter ]
  * debian/patches/pdftops-cups-1.4.dpatch, debian/local/filters/pdftops:
    Replaced Helge Blischke's alternative pdftops wrapper by the pdftops
    of CUPS 1.4. The old pdftops wrapper did not work with the pdftops
    filter of Poppler, the new one works with the pdftops filters of both
    Poppler and XPDF (Closes: #457810; Ubuntu LP: #182379).
  * debian/patches/web-interface-breaks-default-auth-setting.dpatch: When
    modifying server settings with the CUPS web interface, the setting
    for the default authentication got overwritten with gibberish
    (Closes: #461331; CUPS STR #2703, Ubuntu LP: #188426).
  * debian/local/backends/dnssd: Updated dnssd to filter out IPv6 entries,
    as they clutter the lists of detected printers and make the network
    printer discovery process taking more time than needed. Applied also
    a bug fix and the possibility of querying one IP address by calling
    the dnssd backend with the IP as command line argument (like the
    snmp CUPS backend).

 -- Till Kamppeter <email address hidden> Sat, 23 Feb 2008 18:01:06 +0100

Changed in cupsys:
status: Fix Committed → Fix Released
Jelmer Vernooij (jelmer) on 2010-06-30
Changed in cupsys (Ubuntu):
assignee: nobody → Jelmer Vernooij (jelmer)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers