group.of.nepali.translators team mailing list archive

[Colin Watson <cjwatson@xxxxxxxxxxxxx>]

** Also affects: ejabberd (Ubuntu Xenial)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1659801

Title:
  apparmor rules block ejabberdctl

Status in ejabberd package in Ubuntu:
  Fix Released
Status in ejabberd source package in Xenial:
  New
Status in ejabberd package in Debian:
  Fix Released

Bug description:
  Hi,

  I am just trying to install ejabberd in a fresh Ubuntu 16.04 LXD
  container running on a 16.10 host.


  I found that I cannot run ejabberdctl directly as root:

  # ejabberdctl 
  /usr/sbin/ejabberdctl: line 428:  2886 Segmentation fault      $EXEC_CMD "$CMD"

  
  strace reveals what happens:

  2861  execve("/bin/su", ["su", "ejabberd", "-c", "/usr/bin/erl -sname ctl-2841-ejabberd           -noinput -hidden  -s ejabberd_ctl          -extra ejabberd            "], [/* 23 vars */]) = -1 EACCES (Permission denied)
  2861  --- SIGSEGV {si_signo=SIGSEGV, si_code=SI_KERNEL, si_addr=0} ---
  2861  +++ killed by SIGSEGV +++

  
  It is not allowed to execute su to become ejabberd, because apparmor does not allow this:

  
  [ 7827.594020] audit: type=1400 audit(1485515038.865:156): apparmor="DENIED" operation="file_mmap" namespace="root//lxd-ansitest_<var-lib-lxd>" profile="/usr/sbin/ejabberdctl//su" name="/bin/su" pid=12861 comm="su" requested_mask="m" denied_mask="m" fsuid=165536 ouid=165536



  But if I do it the other way round (i.e. su outside of ejabberdctl),
  it works:

  su ejabberd -c ejabberdctl

  
  since then the su is not covered by the apparmor profile of ejabberdctl. 



  Is that behaviour intended?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ejabberd/+bug/1659801/+subscriptions