touch-packages team mailing list archive

Thread
Date

[Bug 1210514] Re: Default apache prefork profile doesn't allow chown

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Thu, 09 Oct 2014 19:42:59 -0000
Reply-to: Bug 1210514 <1210514@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: apparmor (Ubuntu)
       Status: New => Triaged

** Changed in: apparmor (Ubuntu)
   Importance: Undecided => Low

** Tags added: policy

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1210514

Title:
  Default apache prefork profile doesn't allow chown

Status in “apparmor” package in Ubuntu:
  Triaged

Bug description:
  About every other day, I would see this in my kern.log:

      kernel: [11118879.416945] type=1502
  audit(1375943374.913:25651799):  operation="capable" pid=20505
  parent=28609 profile="/usr/lib/apache2/mpm-prefork/apache2"
  name="chown"

  It would seem that the master process is trying to chown something for
  the benefit of one of the worker processes (who have dropped
  privilege), and this is part of the ordinary function of Apache.

  When I spoke to jdstrand, he seemed to agree with my workaround of
  dropping a "capability chown," into a file in
  /etc/apparmor.d/apache2.d/ on all my systems.

  Still, it seems like a useful thing to have in the default as shipped.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1210514/+subscriptions