Ubuntu
ejabberd package

apparmor rules block ejabberdctl

Bug #1659801 reported by Hadmut Danisch
26
This bug affects 5 people
Affects Status Importance Assigned to Milestone
ejabberd (Debian)
Fix Released
Unknown
ejabberd (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Confirmed
Undecided
Unassigned

Bug Description

Hi,

I am just trying to install ejabberd in a fresh Ubuntu 16.04 LXD container running on a 16.10 host.

I found that I cannot run ejabberdctl directly as root:

# ejabberdctl
/usr/sbin/ejabberdctl: line 428: 2886 Segmentation fault $EXEC_CMD "$CMD"

strace reveals what happens:

2861 execve("/bin/su", ["su", "ejabberd", "-c", "/usr/bin/erl -sname ctl-2841-ejabberd -noinput -hidden -s ejabberd_ctl -extra ejabberd "], [/* 23 vars */]) = -1 EACCES (Permission denied)
2861 --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---
2861 +++ killed by SIGSEGV +++

It is not allowed to execute su to become ejabberd, because apparmor does not allow this:

[ 7827.594020] audit: type=1400 audit(1485515038.865:156): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-ansitest_<var-lib-lxd>" profile="/usr/sbin/ejabberdctl//su" name="/bin/su" pid=12861 comm="su" requested_mask="m" denied_mask="m" fsuid=165536 ouid=165536

But if I do it the other way round (i.e. su outside of ejabberdctl), it works:

su ejabberd -c ejabberdctl

since then the su is not covered by the apparmor profile of ejabberdctl.

Is that behaviour intended?

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ejabberd (Ubuntu):
status: New → Confirmed
Revision history for this message
Blue Duck (blueduck) wrote :

Hi,

Just same issue here.

Tried to stop and disable apparmor, reboot... same segmentation fault.

Revision history for this message
Kees Cook (kees) wrote :

Add "m" to /etc/apparmor.d/usr.sbin.ejabberdctl's "su" subprofile on /bin/su line:

                /bin/su rm,

Revision history for this message
Blue Duck (blueduck) wrote :

Hi Kees,

Your tip solve my issue: many thanks!

I tried to understand this change, but my english and admin skills are not sufficient; nevertheless, here are the references: https://www.novell.com/documentation/apparmor/apparmor201_sp10_admin/data/bx5bmls.html

Bug Watch Updater (bug-watch-updater)
Changed in ejabberd (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in ejabberd (Debian):
status: New → Confirmed
Bug Watch Updater (bug-watch-updater)
Changed in ejabberd (Debian):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ejabberd - 17.07-1

---------------
ejabberd (17.07-1) unstable; urgency=medium

  * New upstream version 17.07 (Closes: #867723)
  * Updated Standards-Version: 4.0.0 (no changes needed)
  * Updated years in debian/copyright
  * Updated (Build-)Depends
  * Refreshed patches for ejabberd 17.07
  * Updated debian/rules
  * Added NEWS entry regarding configuration changes

 -- Philipp Huebner <email address hidden> Fri, 14 Jul 2017 12:12:13 +0200

Changed in ejabberd (Ubuntu):
status: Confirmed → Fix Released
Revision history for this message
Simon Arlott (sa.me.uk) wrote :

This is also an issue on 16.04, logrotate continually fails to execute ejabberdctl after an apparmour update:
[413761.100538] audit: type=1400 audit(1560125582.853:33): apparmor="DENIED" operation="file_mmap" profile="/usr/sbin/ejabberdctl//su" name="/bin/su" pid=5366 comm="su" requested_mask="m" denied_mask="m" fsuid=0 ouid=0

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ejabberd (Ubuntu Xenial):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.