[apparmor] [patch] smbd profile needs capability sys_admin
Christian Boltz
apparmor at cboltz.de
Sun Mar 20 18:20:11 UTC 2016
Hello,
smbd stores ACLS in the security.NTACL namespace, which means it needs
capability sys_admin.
References: https://bugzilla.opensuse.org/show_bug.cgi?id=964971
http://samba-technical.samba.narkive.com/eHtOW8DE/nt-acls-using-the-security-namespace-for-ntacl-considered-improper
I propose this patch for trunk, 2.10 and 2.9.
[ profiles-smbd-cap-sys_admin.diff ]
=== modified file 'profiles/apparmor.d/usr.sbin.smbd'
--- profiles/apparmor.d/usr.sbin.smbd 2015-02-28 20:35:18 +0000
+++ profiles/apparmor.d/usr.sbin.smbd 2016-02-11 17:51:14 +0000
@@ -17,6 +17,7 @@
capability net_bind_service,
capability setgid,
capability setuid,
+ capability sys_admin, # needed to store ACLS in the security.NTACL namespace
capability sys_resource,
capability sys_tty_config,
Regards,
Christian Boltz
--
> Genaugenommen kann es DAUs (also Mehrzahl) gar nicht geben ;-)
Stimmt. Aber die werden ja gezuechtet, es gibt staendig einen neuen
DAU, ergo hat man den aktuellen DAU und die nicht ganz aktuellen...
[> Manfred Tremmel und David Haller in suse-linux]
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20160320/6351fadb/attachment.pgp>
More information about the AppArmor
mailing list