[apparmor] [PATCH] various aa-notify fixes

Christian Boltz apparmor at cboltz.de
Tue Aug 16 23:21:36 UTC 2011 

Hello,

Am Mittwoch, 17. August 2011 schrieb Jamie Strandboge:
> Christian Boltz reported several problems (via IRC) with aa-notify
> when used on OpenSUSE. Attaching all patches in this email as they
> are all quite straitforward.
> 
> 0001-drop-supplemental-groups.patch:
>   utils/aa-notify:
>   - drop supplemental group privileges too. While POSIX::setgid()
> works nice in
>     that it will set both the real uid and euid, it doesn't do
> anything with the
>     supplemental groups (sigh). Instead, assign to $( and $) in a
> manner that
>     clears the supplemental groups.

This patch contains too many magic perl variables for me ;-) - I won't 
comment on it.

> 0002-update-aa-notify-manpage-for-user-and-p.patch:
>   utils/aa-notify.pod: update to clarify '-u' argument when using
> '-p'.

ACK, very helpful improvement.

Having a config option to set the default user would also be very 
helpful if someone decides to run aa-notify as a daemon.

> 0003-check-dirname-with-auditd.patch:
>   utils/aa-notify:
> 
>   aa-notify would abort if it could not stat the logfile, as can
> happen when
>   using auditd and the directory perms for the logfile do not allow
> access (x).
>   Adjust get_logfile_size() and get_logfile_inode() to raise then
> drop privileges if the logfile parent directory is not executable.

I'd like to reject that patch.

This might surprise you because it fixes the bug I reported (tested 
successfully). The reason for the recect is that it introduces lots of 
duplicated code to raise and drop privileges. That's a guarantee for a 
future maintenance hell [1].

Please move this code into a "sub raise_privileges" and another "sub 
drop_privileges", and I'll happily say that the patch is OK ;-)
(If you want to keep the name of the calling sub in the debug message, 
add it as parameter when calling raise_privileges/drop_privileges.)

>   Interestingly, this issue was masked on Ubuntu because of the
> improper
>   dropping of supplemental groups fixed in 0001, above.

Bad Ubuntu, they have set /var/log/audit too permissive ;-)


Regards,

Christian Boltz

[1] IIRC I already mentioned PostfixAdmin already - if not, feel free to 
    ask ;-)
-- 
> wie kann ich auf ein Tape Drive drauf schauen?
eject button drücken (oder mt -f <device> offl") und vors Auge halten?
[> Mrvka Andreas und Andreas Kyek in suse-linux]

More information about the AppArmor mailing list