Il 02/05/19 16:58, Carsten Schoenert ha scritto:
[...]
I can remember we have such discussions again and again from time to
time and users are surprised why Thunderbird isn't working any more as
usual or expected after some random update.
Thanks Cartsen, I was beginning to think I am fool!
[...] And users are even more surprised if I
tell them the TB packaging in Stretch did never had an automatically
activated AA profile, in other words, they have it activated it by
themselves.
well, I'm not alone...
In this report there are two things that have come together in my eyes.
1.) An activated AA profile for Thunderbird.
2.) An different path for ${HOME} because of an membership within a
Windows domain.
The first one isn't a big problem anymore in newer days, the current AA
profile is covering for sure about 95% of the use cases.
Now I'm in the 95%... I mean, after adding in the tunables homes the
remote users homes root I have re-enabled TB AA profile and all seems to
work flawless but in a more secure manner I hope! ;)
The second point isn't covered nicely until now in the AppArmor
installations within Debian at least. But I think also that Thunderbird
isn't the only package that will suffer from this problem and we will
need a more general solution for this. And this needs to go into
Apparmor itself instead of every body tries to implement some super
logic within their AA package profile.
I don't know the apparmor code and I imagine that the answer is no,
but... you can't get the user's $HOME variable?
Currently I've no idea how to detect a membership of a Windows domain
nicely, for sure this is solvable by some PAM voodoo. I have simply no
knowledge in this area. And I have no environment to test something. It
seems we just need to trigger a dpkg-reconfigure of AA if the PC is
within a domain membership.
to know if a PC is a domain member you can check it, as root, the
command "net rpc testjoin"... but the user that is opening TB can be a
domain user or a local user.
Any way Cartsten thank you very much, and remember that if you need a
tester I'm here!
Piviul
