Hello, Am Sonntag, 16. Juli 2017, 11:57:08 CEST schrieb daniel curtis: > Today I've noticed, that 'usr.sbin.userdel' profile, found in > /usr/share/doc/apparmor-profiles/extras/ folder, seems to be not very > "compatible" with *ubuntu (in this case 16.04 LTS Release.) Now, I'll > explain what I mean. > > 'usr.sbin.userdel' profile contains two rules, related to userdel(8), > which is a low level utility for removing users etc., right? However, > these rules/commands do not exist in the *ubuntu distributions. These > are: > > ✗ /usr/sbin/userdel-post.local > ✗ /usr/sbin/userdel-pre.local
So it allows to execute two (from Ubuntu POV) non-existing programs?
No harm done, and...
> During searching for additional informations about these commands, it
> turned out that they are a part of the shadow package (for example,
> version 4.2.1-4.1), but on OpenSUSE distribution.
... these programs (which are actually bash scripts) indeed exist on
openSUSE and do things like removing the user's crontab and stop running
processes of that user.
> I wanted to have one hundred percent sure, so I was looking for a both
> commands, on my 16.04 LTS install, but it leaded to: "No such file or
> directory" result.
>
> If it's about "/usr/sbin/userdel-post.local"; this command is run
> after removing a user. On the other hand,
> "/usr/sbin/userdel-pre.local", is run before removing a user. But
> these are probably not important informations, right?
>
> I think that both commands should be removed from a profile shipped
> with Ubuntu AppArmor package. But, thats is just my personal opinion.
> Nothing more, nothing less.
We attemp to make the profiles cross-distro compatible. If some rules
are useful for a distribution, and "just useless" on another, we keep
or add them. Everything else is just making everybody's life harder ;-)
> Now, the second issue: I've noticed also two, the same rules,
> commands, used in 'usr.sbin.userdel' profile. These are:
>
> 44. /usr/sbin/userdel rmix,
> (...)
> 47. /usr/sbin/userdel rmix,
>
> These numbers, indicating the places in which these rules occurring.
> Of course, in a default profile from
> /usr/share/doc/apparmor-profiles/extras/ folder. I think one of those
> rules should or could be removed from the profile.
Indeed, one of them is superfluous.
Therefore, I propose the following patch:
=== modified file 'profiles/apparmor/profiles/extras/usr.sbin.userdel'
--- profiles/apparmor/profiles/extras/usr.sbin.userdel 2016-12-03 09:59:01
+0000
+++ profiles/apparmor/profiles/extras/usr.sbin.userdel 2017-07-16 20:02:13
+0000
@@ -44,7 +44,6 @@
/usr/sbin/userdel rmix,
/usr/sbin/userdel-post.local rmix,
/usr/sbin/userdel-pre.local rmix,
- /usr/sbin/userdel rmix,
# XXX
/{,var/}run/nscd.pid r,
/var/spool/mail/* wl,
> I'm sorry for writing about these things. At last, they are not
> something big or important, right? I simply noticed this, during
> auditing AppArmor profiles etc.
Having someone look at the profiles (especially those "extra" profiles
which are not really maintained) is always helpful and welcome ;-)
Regards,
Christian Boltz
--
> # bluescreen: Bluescreen-Emulator für Terminals
Ich hab es eben in ner Konsole getestet und ich Idiot habe wirklich
Strg+Alt+Entf gedrückt! Warum postest Du solch gefährliche Scripte?
[> David Haller und Rüdiger Meier in suse-linux]
signature.asc
Description: This is a digitally signed message part.
-- AppArmor mailing list AppArmor@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
