touch-packages team mailing list archive

Thread
Date

[Bug 1210514] Re: Default apache prefork profile doesn't allow chown

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Fri, 10 Oct 2014 21:27:21 -0000
Reply-to: Bug 1210514 <1210514@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: apparmor
   Importance: Undecided
       Status: New

** Changed in: apparmor
   Importance: Undecided => Low

** Changed in: apparmor
       Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1210514

Title:
  Default apache prefork profile doesn't allow chown

Status in AppArmor Linux application security framework:
  Triaged
Status in “apparmor” package in Ubuntu:
  Triaged

Bug description:
  About every other day, I would see this in my kern.log:

      kernel: [11118879.416945] type=1502
  audit(1375943374.913:25651799):  operation="capable" pid=20505
  parent=28609 profile="/usr/lib/apache2/mpm-prefork/apache2"
  name="chown"

  It would seem that the master process is trying to chown something for
  the benefit of one of the worker processes (who have dropped
  privilege), and this is part of the ordinary function of Apache.

  When I spoke to jdstrand, he seemed to agree with my workaround of
  dropping a "capability chown," into a file in
  /etc/apparmor.d/apache2.d/ on all my systems.

  Still, it seems like a useful thing to have in the default as shipped.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/1210514/+subscriptions