← Back to team overview

touch-packages team mailing list archive

[Bug 1210514] Re: Default apache prefork profile doesn't allow chown

 

** Tags removed: policy
** Tags added: aa-policy

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1210514

Title:
  Default apache prefork profile doesn't allow chown

Status in “apparmor” package in Ubuntu:
  Triaged

Bug description:
  About every other day, I would see this in my kern.log:

      kernel: [11118879.416945] type=1502
  audit(1375943374.913:25651799):  operation="capable" pid=20505
  parent=28609 profile="/usr/lib/apache2/mpm-prefork/apache2"
  name="chown"

  It would seem that the master process is trying to chown something for
  the benefit of one of the worker processes (who have dropped
  privilege), and this is part of the ordinary function of Apache.

  When I spoke to jdstrand, he seemed to agree with my workaround of
  dropping a "capability chown," into a file in
  /etc/apparmor.d/apache2.d/ on all my systems.

  Still, it seems like a useful thing to have in the default as shipped.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1210514/+subscriptions