apparmor permissions missing for winbind

Bug #1582767 reported by Eric Delaet on 2016-05-17
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ntp (Debian)
Fix Released
Unknown
ntp (Ubuntu)
Medium
Christian Ehrhardt 
Xenial
Undecided
Unassigned

Bug Description

When using Winbind, ntpd needs to access the Winbind pipe:

May 17 16:23:15 bo kernel: [ 27.598551] type=1400 audit(1463494995.048:18): apparmor="DENIED" operation="connect" profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517 comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0

Would there be any reason not to allow this ? I added the following line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:

/run/samba/winbindd/pipe rw,

Thanks!

Robie Basak (racb) on 2016-05-19
tags: added: apparmor bitesize
Changed in ntp (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Robie Basak (racb) on 2016-06-22
Changed in ntp (Ubuntu):
assignee: nobody → Wesley Wiedenmeier (wesley-wiedenmeier)

Hi Eric,
adding that rule sounds totally reasonable and we are looking to integrate that.

To ease testing as I never set such a thing up before I wanted to ask if you could you share some config details how to set it up this way so it triggers the issue you face?

Changed in ntp (Ubuntu):
assignee: Wesley Wiedenmeier (wesley-wiedenmeier) → nobody
assignee: nobody → ChristianEhrhardt (paelzer)
Eric Delaet (eric-delaet) wrote :

Hello Christian,

I'm using Samba with winbind to connect to Active Directory as a slave server. I guess that's why it wants to read the syncronized time. My Samba setup:

  netbios name = <servername>
  workgroup = <domain>
  realm = <domain.local?
  server string = %h
  security = ads
  encrypt passwords = yes
  password server = <ad-ip1> <ad-ip2>

  idmap config * : backend = rid
  idmap config * : range = 10000-20000

  winbind use default domain = Yes
  winbind enum users = Yes
  winbind enum groups = Yes
  winbind nested groups = Yes
  winbind expand groups = 10
  winbind separator = +
  winbind refresh tickets = yes
  winbind cache time = 300

  template shell = /bin/bash
  template homedir = /home/%U

  preferred master = no
  dns proxy = no
  wins server = <ad-server1> <ad-server2>
  wins proxy = no

  inherit acls = Yes
  map acl inherit = Yes
  acl group control = yes

  load printers = no
  debug level = 0
  use sendfile = no

After that, individual shares follow.

Do you need any more information or help?

Hi Eric,
thanks for sharing.
I think I'm good for now - need to find the time to actually package it which has a few other dependencies atm.
If while testing I find that I need more I'll let you know - and certainly for this bug I'd love to have you test it as well once it is packaged, built and available for testing.

Hi,
I was preparing to integrate this change together with a lot of others.
While testing I couldn't get it to trigger the issue you described.

Lacking a "real" ADS to link to I went for a being a PDC on my own - but at least in that setup the issue didn't show up.

Fortunately the change is small and not very intrusive, so I think we can still keep it.
But as a heads up once this will be available in yakkety I'll have to ask you to verify this.
I'll ping this bug then to let you know.

If one can find slight modifications to this conf without needing an actual real ADS, but still triggering the bug please let me know.

Eric Delaet (eric-delaet) wrote :

Hi Christian,

Sure, if you have a beta package or so I'm ready to test it. Just deployed another server and saw the same behaviour, so it's easy to replicate for me and to check if the error is gone.

Thanks already for your commitment to help!
The final fix is currently in review, as it is is part of a merge and that
changes much more.

To give you a way to pre-evaluate I put it in a ppa at
https://launchpad.net/~paelzer/+archive/ubuntu/ntp-test-bug-1582767
This silently will tests all other changes as well if they get you or your
environment into any trouble as well.

Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

On Fri, Jul 8, 2016 at 5:09 PM, Eric Delaet <email address hidden> wrote:

> Hi Christian,
>
> Sure, if you have a beta package or so I'm ready to test it. Just
> deployed another server and saw the same behaviour, so it's easy to
> replicate for me and to check if the error is gone.
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/1582767
>
> Title:
> apparmor permissions missing for winbind
>
> Status in ntp package in Ubuntu:
> Triaged
>
> Bug description:
> When using Winbind, ntpd needs to access the Winbind pipe:
>
> May 17 16:23:15 bo kernel: [ 27.598551] type=1400
> audit(1463494995.048:18): apparmor="DENIED" operation="connect"
> profile="/usr/sbin/ntpd" name="/run/samba/winbindd/pipe" pid=1517
> comm="ntpd" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=0
>
> Would there be any reason not to allow this ? I added the following
> line to /etc/apparmor/init/network-interface-security/usr.sbin.ntpd:
>
> /run/samba/winbindd/pipe rw,
>
> Thanks!
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1582767/+subscriptions
>

Robie Basak (racb) wrote :

@Christian

Do you intend to SRU this to Xenial? Should I create a bug task for it?

@Robie,
I'd intend to do so as the fix is rather easy, but i depends on the co-work of the reporter for verification. I'd say yes please create a task but we keep it at low prio until verification support takes place. I'll do the nominate.

Launchpad Janitor (janitor) wrote :
Download full text (5.2 KiB)

This bug was fixed in the package ntp - 1:4.2.8p8+dfsg-1ubuntu1

---------------
ntp (1:4.2.8p8+dfsg-1ubuntu1) yakkety; urgency=medium

  [ Christian Ehrhardt ]
  * Merge from Debian testing. Remaining changes:
    + debian/rules: enable debugging. Asked debian to add this in bug #643954.
    + debian/rules, debian/ntp.dirs, debian/source_ntp.py: Add apport hook.
    + debian/control: Add Suggests on apparmor.
    + debian/source_ntp.py: Add filter on AppArmor profile names to prevent
      false positives from denials originating in other packages
    + debian/ntpdate.if-up: Fix interaction with openntpd. Stop ntp before
      running ntpdate when an interface comes up, then start again afterwards.
    + debian/ntp.init, debian/rules: Only stop when entering single user mode,
      don't use /var/lib/ntp/ntp.conf.dhcp if /etc/ntp.conf is newer - it can
      get stale. Patch by Simon Déziel.
    + debian/ntp.conf, debian/ntpdate.default: Change default server to
      ntp.ubuntu.com.
    + debian/control: Add bison to Build-Depends (for ntpd/ntp_parser.y).
    + Extend PPS support
      - debian/README.Debian: Add a PPS section to the README.Debian
      - debian/ntp.conf: Add some configuration examples from the offical
        documentation.
    + SECURITY UPDATE: NTP statsdir cleanup cronjob insecure (LP: #1528050)
      - debian/ntp.cron.daily: fix security issues, patch thanks to halfdog!
      - CVE-2016-0727
    + Merge also contains an upstream fix that solves (LP: #1567540)
  * Added changes
    + match Ubuntu packages now that Debian has ntp apparmor accepted in
      d/control for Apparmor conflicts/replaces
    + d/apparmor-profile add samba winbindd pipe (LP: #1582767)
  * Drop Changes:
    + Add enforcing AppArmor profile (accepted in Debian):
      - debian/control: Add Conflicts/Replaces on apparmor-profiles.
      - debian/control: Add Suggests on apparmor.
      - debian/control: Build-Depends on dh-apparmor.
      - add debian/apparmor-profile*.
      - debian/ntp.dirs: Add apparmor directories.
      - debian/rules: Install apparmor-profile and apparmor-profile.tunable.
      - debian/source_ntp.py: Add filter on AppArmor profile names to prevent
        false positives from denials originating in other packages.
      - debian/README.Debian: Add note on AppArmor.
    + Add PPS support (accepted in Debian)
      - debian/control: Add Build-Depends on pps-tools
    + debian/apparmor-profile: allow 'rw' access to /dev/pps[0-9]* devices.
    + d/p/fix_local_sync.patch: fix local clock sync (fixed upstream)
    + debian/patches/ntpdate-fix-lp1526264.patch (fixed upstream):
      - Add Alfonso Sanchez-Beato's patch for fixing the cannot correct dates in
        the future bug
    + debian/apparmor-profile: adjust to handle AF_UNSPEC with dgram and stream
    + dropping previous ubuntu security patches/fixes that have been upstreamed
      in 4.2.8p6: CVE-2015-7973, CVE-2015-7975, CVE-2015-7976, CVE-2015-7977,
      CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8158
    + dropping previous ubuntu security patches/fixes that have been upstreamed
      in 4.2.8p7: CVE-2016-1548, CVE-2016-1550, CVE-2016-2516, CVE-2016-2518...

Read more...

Changed in ntp (Ubuntu):
status: Triaged → Fix Released

Hi,
just to note I'd consider this not important enough for an SRU given the fact that it is a very rare case and people can add the rule themselves if the need to.

Changed in ntp (Ubuntu Xenial):
status: New → Won't Fix

I realized we carry this as Delta and there was no Debian report yet, I opened one and linked it up here.

Changed in ntp (Debian):
status: Unknown → New
Changed in ntp (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.