Apparmor should include letsencrypt directory for Slapd

Bug #1805178 reported by Tarek Loubani on 2018-11-26
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)

Bug Description

Apparmor denies access to /etc/letsencrypt for slapd, which is confusing for users trying to secure ldap with Letsencrypt in a stock configuration.

The fix is inserting the following line in /etc/apparmor.d/usr.sbin.slapd:

  /etc/letsencrypt/** r,

and then refreshing the profile:

# apparmor_parser -vr usr.sbin.slapd

This line should simply be included.

tarek : )

Andreas Hasenack (ahasenack) wrote :

Thanks for filing this bug in Ubuntu.

First, let me suggest that any local modifications to apparmor profiles be made in /etc/apparmor.d/local instead of the profile in /etc/apparmor.d, otherwise you will get dpkg conf prompts with every upgrade. For slapd, for example, you have /etc/apparmor.d/local/usr.sbin.slapd

Second, what is the structure of files and directories in /etc/letsencrypt? Is it separated by user, service, or do all certs go in there? It would be good if we could come up with a rule that's a bit more specific.

Changed in openldap (Ubuntu):
status: New → Incomplete
Andreas Hasenack (ahasenack) wrote :

I'm removing apparmor from the affected list because the apparmor profile is shipped with slapd.

no longer affects: apparmor (Ubuntu)
John Johansen (jjohansen) wrote :

Marked this public security for now so it is on the security team radar and it can be reviewed by them.

information type: Public → Public Security
Jamie Strandboge (jdstrand) wrote :

I echo ahasenack's question. /etc/letsencrypt/** is pretty broad (especially if it contains private keys).

Once those details are worked out, updating slapd is conceptually fine. We may want to consider updating the ssl_certs and ssl_keys abstractions accordingly if letsencrypt organizing things clearly. (We could also create a letsencrypt abstraction, but let's not go there just yet).

Christian Boltz (cboltz) wrote :

The ssl_certs and ssl_keys abstractions just got the paths for letsencrypt added:
(also backported to the 2.10..2.13 branches)

Tarek Loubani (tareko) wrote :

The above merge for apparmor appears to solve this issue. I agree with that issue that /etc/letsencrypt/live/** and /etc/letsencrypt/archive/** are probably the main places that have to be added. Shall we fix it in this package, or elsewhere?

tarek : )

Launchpad Janitor (janitor) wrote :

[Expired for openldap (Ubuntu) because there has been no activity for 60 days.]

Changed in openldap (Ubuntu):
status: Incomplete → Expired
Changed in openldap (Ubuntu):
status: Expired → New
Robie Basak (racb) wrote :

I suppose we need to ensure that the openldap package is using this abstraction, then, and that the latest apparmor package in Ubuntu contains it.

I do think that Certbot integration for openldap is not relevant for the majority of Ubuntu users though, so am setting Importance: Low and don't expect anyone from the server team to address this any time soon.

We'd be happy to help volunteers get this landed though. First steps would be to identify what needs doing in the development release in apparmor and openldap with respect to this apparmor abstraction.

Changed in openldap (Ubuntu):
importance: Undecided → Low
status: New → Triaged
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers