enterprise-support team mailing list archive

Thread
Date

[Bug 1913306] [NEW] slapd Apparmor profile allows /tmp widely

To: enterprise-support@xxxxxxxxxxxxxxxxxxx
From: Robie Basak <1913306@xxxxxxxxxxxxxxxxxx>
Date: Tue, 26 Jan 2021 14:00:49 -0000
Reply-to: Bug 1913306 <1913306@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Currently debian/apparmor-profile defines:

/var/tmp/** rw,

This is quite wide. Can we narrow it down? There are a couple of
alternative opportunities here:

1) Remove that line, and define instead more specific path rules, such
as "/var/tmp/krb5_*.rcache2 rwk" that we recently added. A risk here is
that it's difficult for us to determine and track the necessary paths,
since some may be related to functionality that we don't have dep8 test
coverage for.

2) Retain that line, add a "k", move slapd to a native systemd service
and use PrivateTmp=yes.

A third opportunity, independent of the above, is to move the rules to
an abstraction that any sasl+gssapi+krb5 -using service could include.

This discussion came up in
https://code.launchpad.net/~racb/ubuntu/+source/openldap/+git/openldap/+merge/396853,
but we focused on fixing only the immediate issue there, leaving this
bug open for another time.

** Affects: openldap (Ubuntu)
     Importance: Medium
         Status: Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Server/Client Support Team, which is subscribed to openldap in Ubuntu.
Matching subscriptions: Ubuntu Server/Client Support Team
https://bugs.launchpad.net/bugs/1913306

Title:
  slapd Apparmor profile allows /tmp widely

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1913306/+subscriptions