Ubuntu
openldap package

slapd Apparmor profile allows /tmp widely

Bug #1913306 reported by Robie Basak
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

Currently debian/apparmor-profile defines:

/var/tmp/** rw,

This is quite wide. Can we narrow it down? There are a couple of alternative opportunities here:

1) Remove that line, and define instead more specific path rules, such as "/var/tmp/krb5_*.rcache2 rwk" that we recently added. A risk here is that it's difficult for us to determine and track the necessary paths, since some may be related to functionality that we don't have dep8 test coverage for.

2) Retain that line, add a "k", move slapd to a native systemd service and use PrivateTmp=yes.

A third opportunity, independent of the above, is to move the rules to an abstraction that any sasl+gssapi+krb5 -using service could include.

This discussion came up in https://code.launchpad.net/~racb/ubuntu/+source/openldap/+git/openldap/+merge/396853, but we focused on fixing only the immediate issue there, leaving this bug open for another time.

See original description

Related branches

~racb/ubuntu/+source/openldap:fix-apparmor-tmp-lock-perms
Christian Ehrhardt  (community): Approve
Bryce Harrington (community): Needs Information
Canonical Server: Pending requested
Canonical Server packageset reviewers: Pending requested
Diff: 30 lines (+11/-0)
2 files modified
debian/apparmor-profile (+1/-0)
debian/changelog (+10/-0)
Revision history for this message
Robie Basak (racb) wrote :

Any advice/comment from the security team on this please?

description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.