Ubuntu
sssd package

sssd apparmor profile need /etc/sssd/pki/** r

Bug #2109673 reported by Seyeong Kim
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Status tracked in Questing
Focal
Confirmed
Undecided
Unassigned
Jammy
Confirmed
Undecided
Unassigned
Noble
Confirmed
Undecided
Unassigned
Oracular
Confirmed
Undecided
Unassigned
Plucky
Confirmed
Undecided
Unassigned
Questing
Confirmed
Undecided
Unassigned

Bug Description

[Impact]
Hello

When we are using removable smartcard to authenticate, basically we set cert in /etc/sssd/pki/ as doc[1] says. and we have issue with Permission Denied.

If we put /etc/sssd/pki/** r, in apparmor profile. it works.

Although the path could be set to different path but no specific path for it and we mentioned it in doc[1] so It would be good if we can add above path to apparmor profile.

man page(over 2.0) has the path so I uploaded patch from F to Q

[1] https://manpages.ubuntu.com/manpages/noble/man5/sssd.conf.5.html

[Test Case]
I don't have 100% the same reproducer but I can test simple one.

sudo aa-exec -p /usr/sbin/sssd -- cat /etc/sssd/pki/sssd_auth_ca_db.pem

[Where problems could occur]
sssd will have more permission in /etc/sssd/pki/

[Others]

See original description
Tags: patch sts
Seyeong Kim (seyeongkim)
tags: added: sts
Revision history for this message
Seyeong Kim (seyeongkim) wrote :
Revision history for this message
Seyeong Kim (seyeongkim) wrote :
Revision history for this message
Seyeong Kim (seyeongkim) wrote :
Revision history for this message
Seyeong Kim (seyeongkim) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "lp2109673_plucky.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Seyeong Kim (seyeongkim) wrote :
no longer affects: sssd (Ubuntu Bionic)
Seyeong Kim (seyeongkim)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in sssd (Ubuntu Focal):
status: New → Confirmed
Changed in sssd (Ubuntu Jammy):
status: New → Confirmed
Changed in sssd (Ubuntu Noble):
status: New → Confirmed
Changed in sssd (Ubuntu Oracular):
status: New → Confirmed
Changed in sssd (Ubuntu Plucky):
status: New → Confirmed
Changed in sssd (Ubuntu):
status: New → Confirmed
Seyeong Kim (seyeongkim)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.