[apparmor] Enabling email delivery for wordpress

Seth Arnold seth.arnold at canonical.com
Wed Nov 2 21:18:31 UTC 2016 

On Wed, Nov 02, 2016 at 10:08:50PM +0200, Robert Munteanu wrote:
> I am trying to secure my wordpress installation using apparmor. The
> basic permissions are nothing special, until we get to email delivery.
> 
> Wordpress by default always wants to use the php mail() function,
> which in turn always wants to use a binary. So I can't fix this by
> enabling email delivery via SMTP.
> 
> So I ended up adding the following to my profile:
> 
>     /bin/bash                        ixr,
>     /usr/sbin/sendmail               Uxr,
> 
> That strikes me as being a pretty wide net, so I'm curious if there's
> something that I can do better.

Hello Robert,

There's several options, depending upon your goals:

- You can add a system-wide profile for /usr/sbin/sendmail

- You can add a child profile for /usr/sbin/sendmail to your php/wordpress
  profile

Both approaches have merits; the system-wide profile for sendmail may
involve more work to ensure that all applications on the system that send
mail are correctly profiled. But likewise, sendmail would be confined when
called via other mechanisms, not just via the wordpress application.

Also, depending upon what program is supplying your /usr/sbin/sendmail,
you may also need to confine a great many other executables in order to
have meaningful confinement. For example, the apparmor-profiles package
supplies several profiles (possibly too ancient to be useful starting
points) for different sendmails:

These profiles are also at:
http://bazaar.launchpad.net/~apparmor-dev/apparmor/master/files/head:/profiles/apparmor/profiles/extras/

- There's a usr.sbin.sendmail that is prepared to handle both postfix
  _and_ sendmail
- There's a usr.sbin.sendmail.sendmail that works with sendmail
- There's a usr.sbin.sendmail.postfix that works with postfix
- There's also profiles for postalias, postdrop, postmap, postqueue, and a
  dozen other postfix binaries.

Unless someone speaks up to say they've kept the 'extras' profile updated
for their MTA of choice, they are probably old enough at this point that
they can be ignored.

If you want to add a child profile for sendmail, it'd look something like
this:

Change /usr/sbin/sendmail Uxr,  to
  /usr/sbin/sendmail Cxr -> sendmail,
  profile sendmail {
    #include <abstraction/base>
    /usr/sbin/sendmail ixr,
    # .. more rules here ..
  }

If you want to add a new system-wide profile for sendmail, it'd look
something like this:

  /usr/sbin/sendmail Pxr,

Then you need to generate a new sendmail profile. You could either use the
tools, and run aa-genprof /usr/sbin/sendmail, and follow the prompts, or
you could write it by hand. When you write the profile, be sure to test
some common things very early:

- stopping the daemon
- starting the daemon
- restarting the daemon
- local mail delivery (if your sendmail does this)
- remote mail delivery (if your sendmail does this)

I hope this helps, feel free to ask here or #apparmor on irc.oftc.net
(there's often someone around) in case I was'nt clear on something.

Thanks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: not available
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20161102/973b0eda/attachment.pgp>

More information about the AppArmor mailing list