apparmor rules block ejabberdctl
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ejabberd (Debian) |
Fix Released
|
Unknown
|
|||
ejabberd (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Hi,
I am just trying to install ejabberd in a fresh Ubuntu 16.04 LXD container running on a 16.10 host.
I found that I cannot run ejabberdctl directly as root:
# ejabberdctl
/usr/sbin/
strace reveals what happens:
2861 execve("/bin/su", ["su", "ejabberd", "-c", "/usr/bin/erl -sname ctl-2841-ejabberd -noinput -hidden -s ejabberd_ctl -extra ejabberd "], [/* 23 vars */]) = -1 EACCES (Permission denied)
2861 --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---
2861 +++ killed by SIGSEGV +++
It is not allowed to execute su to become ejabberd, because apparmor does not allow this:
[ 7827.594020] audit: type=1400 audit(148551503
But if I do it the other way round (i.e. su outside of ejabberdctl), it works:
su ejabberd -c ejabberdctl
since then the su is not covered by the apparmor profile of ejabberdctl.
Is that behaviour intended?
Changed in ejabberd (Debian): | |
status: | Unknown → New |
Changed in ejabberd (Debian): | |
status: | New → Confirmed |
Changed in ejabberd (Debian): | |
status: | Confirmed → Fix Released |
Status changed to 'Confirmed' because the bug affects multiple users.