apparmor HOMEDIRS not adjusted for likewise

Bug #274350 reported by Misha Bazanov
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
High
Jamie Strandboge
likewise-open (Ubuntu)
High
Gerald Carter

Bug Description

Binary package hint: likewise-open

I'm run Ubuntu 8.04 and add it to windows domain using likewise-open.
Home of domain users in this case placed in /home/<Domain_Name>/<user_name>

in /var/log/cups/cups-pdf_log:
[ERROR] failed to create directory (/home/<Domain_Name>/<user_name>/PDF)
[ERROR] failed to create user output directory (/home/<Domain_Name>/<user_name>/PDF)

solution found in https://bugs.launchpad.net/ubuntu/+source/cups-pdf/+bug/212280 and solution was to add /home/<Domain_Name>/ to @{HOMEDIRS} in /etc/apparmor.d/tunables/home
like this:
 @{HOMEDIRS}=/home/ /home/<Domain_Name>/

Will be perfect, if likewise-open edit this variable when add computer to domain.

Misha Bazanov (bmw-)
description: updated
description: updated
Revision history for this message
Thierry Carrez (ttx) wrote :

It's not easy to fix this in a clean way... as (un)editing /etc contents on domain join/leave is not really clean. The best way would be to make apparmor aware of domain existence so that it adapts @{HOMEDIRS} accordingly.

Changed in likewise-open:
importance: Undecided → Medium
status: New → Confirmed
summary: - cups-pdf cannot create ~/PDF and files in it
+ apparmor HOMEDIRS not adjusted for likewise
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

We talked about this at UDS Lucid and this is something I'd like to fix for Lucid. Conceptually, this is not too hard, since all we should have to do is adjust /etc/apparmor.d/tunables/home to have:
@{HOME}=@{HOMEDIRS}/*/ /root/
@{HOMEDIRS}=/home/ /home/*/

However, this gets quite complicated with rule evaluation, eg the tcpdump profile has:
  audit deny @{HOME}/bin/ rw,
  audit deny @{HOME}/bin/** mrwkl,
  @{HOME}/ r,
  @{HOME}/** rw,

After making the above change to tunables, this evaluates to (omitting /root/):
  audit deny /home/*/bin/ rw,
  audit deny /home/*/*/bin/ rw,
  audit deny /home/*/bin/** mrwkl,
  audit deny /home/*/*/bin/** mrwkl,
  /home/*/ r,
  /home/*/*/ r,
  /home/*/** rw,
  /home/*/*/** rw,

This is at best overly complicated and at worst could change the profile in unexpected ways. If we want to support both local and likewise homedirs, I think something else needs to happen.

Would it be possible to change the default location of likewise? Eg, adjust lwiauthd.conf (AIUI) to somewhere outside of /home would be ideal, but even having:
  template homedir = /home/likewise-open/%D/%U

would be an improvement. Then we could do:
@{HOME}=@{HOMEDIRS}/*/ /root/
@{HOMEDIRS}=/home/ /home/likewise-open/*/

which evaluates to (again, /root/ omitted):
  audit deny /home/*/bin/ rw,
  audit deny /home/likewise-open/*/*/bin/ rw,
  audit deny /home/*/bin/** mrwkl,
  audit deny /home/likewise-open/*/*/bin/** mrwkl,
  /home/*/ r,
  /home/likewise-open/*/*/ r,
  /home/*/** rw,
  /home/likewise-open/*/*/** rw,

This is much better, since only a system with a local user with home directory of '/home/likewise-open' would have the problems described above. This seems acceptable and easier than moving likewise outside of /home. If we do decide to move the directory, I advise adjusting lwiauthd.conf to have:
  # Changing template homedir will also require adjusting the AppArmor home
  # tunable in /etc/apparmor.d/tunables/home for systems that use AppArmor.
  # See https://wiki.ubuntu.com/DebuggingApparmor#Adjusting%20Tunables
  # for details.
  template homedir = /home/likewise-open/%D/%U

Changed in apparmor (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Changed in likewise-open (Ubuntu):
importance: Medium → High
Revision history for this message
Gerald Carter (coffeedude.jerry) wrote :

Discussed on #ubuntu-server with ttx, jdstrand, and myself. Agreed to set the template homedir to /home/likewise-open/%D/%U moving forward in Lucid. However, we'll not try to move any home directories on upgrade. Rather, we'll leave things as they are.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.3.1+1403-0ubuntu30

---------------
apparmor (2.3.1+1403-0ubuntu30) lucid; urgency=low

  [ Jamie Strandboge ]
  * convert to using quilt
    - debian/control: Build-Depends on quilt
    - add debian/README.source
    - debian/rules: include /usr/share/quilt/quilt.make and adjust
      targets for patching
  * debian/patches/0001-likewise-home-tunables.patch: tunables/home: add
    /home/likewise-open/*/ to HOMEDIRS (LP: #274350)
  * Merge to upstream bzr rev 1308.
    - really add chromium-browser (LP: #488559)
    - add official google-chrome (LP: #481661)

  [ Kees Cook ]
  * parser/parser_main.c: use nanosec ctime resolution when checking
    cache file times.
  * parser/tst/caching.sh: add tests for cache use based on timestamps.
 -- Jamie Strandboge <email address hidden> Fri, 04 Dec 2009 11:11:01 -0600

Changed in apparmor (Ubuntu):
status: Confirmed → Fix Released
Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Changed in likewise-open (Ubuntu):
assignee: nobody → Gerald Carter (coffeedude.jerry)
Changed in likewise-open (Ubuntu):
status: Confirmed → Triaged
milestone: none → lucid-alpha-3
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Here is an untested debdiff which adjusts 'template homedir' as decided upon. I also have the packaging create /home/likewise-open. While I can't test this, I think that this may be all that is needed. In other words, upgrades from Hardy to Lucid should work just fine. Assuming the user does the required reboot after upgrade, then the next time likewise is used it will use the new template homedir.

As I don't have a way to test this, I am uncomfortable uploading to Lucid at this time. Gerry, can you give feedback on this debdiff? If it looks good, I can upload to Lucid and you can incorporate my changes into your next upload. Thanks!

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This has already been fixed in in the likewise-open ppa. Per IRC discussion:
07:59 < coffeedude> jdstrand, K. So you diff won't apply to the new packages.
                    I've already fixed it there like we discussed. pitti is
                    reviewing the debs for me and they are planned for upload
                    for alpha 2.

Changed in likewise-open (Ubuntu):
milestone: lucid-alpha-3 → lucid-alpha-2
status: Triaged → In Progress
Revision history for this message
Kees Cook (kees) wrote :

Note that likewise-open will need to include a file like /etc/apparmor.d/tunables/home.d/likewise-open
that contains:

@{HOMEDIRS}+=/home/likewise-open/*/

This is being removed from the AppArmor default now that home.d/ exists, and default installs don't need this path (which is presently causing bug 503869)

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

likewise-open 5.4.0.39949-2 uses /home/likewise-open as its template dir. All that is left is to add /etc/apparmor.d/tunables/home.d/likewise-open. I'll provide a debdiff shortly.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Here is a debdiff to install a suitable /etc/apparmor.d/tunables/home.d/likewise-open.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Please review and I can get this uploaded for Alpha-2.

Revision history for this message
Gerald Carter (coffeedude.jerry) wrote :

+1. The diff looks good to me.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package likewise-open - 5.4.0.39949-3

---------------
likewise-open (5.4.0.39949-3) lucid; urgency=low

  * add /etc/apparmor.d/tunables/home.d/likewise-open to adjust HOMEDIRS.
    - add debian/apparmor.homedirs
    - debian/rules: install apparmor.homedirs
    - debian/likewise-open.dirs: create etc/apparmor.d/tunables/home.d
    - debian/likewise-open.install: add tunables/home.d/likewise-open to
      likewise-open package
    - LP: #274350
 -- Jamie Strandboge <email address hidden> Fri, 08 Jan 2010 08:56:39 -0600

Changed in likewise-open (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Julian Alarcon (julian-alarcon) wrote :

Ok, I still get this error on PBIS-Open. Ubuntu 13.04.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers