Re: [R] R library highcharter function highchart() execute with exception the apparmor read denied for /etc/passwd and /etc/group

2023-08-09 Thread Gu, Jay via R-help 
Hi Ivan,

I'm running the R within docker container. Do you have any idea about it? 
Thanks!


Best Regards!
Jay Gu

-Original Message-
From: Ivan Krylov  
Sent: Wednesday, August 9, 2023 3:15 AM
To: Gu, Jay via R-help 
Cc: Gu, Jay 
Subject: Re: [R] R library highcharter function highchart() execute with 
exception the apparmor read denied for /etc/passwd and /etc/group

[You don't often get email from krylov.r...@gmail.com. Learn why this is 
important at https://aka.ms/LearnAboutSenderIdentification ]

On Tue, 8 Aug 2023 10:39:15 +0000
"Gu, Jay via R-help"  wrote:

>  Then I execute the function highchart() it always throw the
> exception that child process has died. And I checked the
> /var/log/kern.log and found below error:
>
> Aug 7 08:37:50 ip-172-31-27-249 kernel: [2251703.494866] audit:
> type=1400 audit(1691397470.399:739): apparmor="DENIED"
> operation="open" profile="managedr-profile" name="/etc/passwd"
> pid=159930 comm="R" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=0

It's not that terrible to let a program access /etc/passwd. It does
contain the list of the users, which is a privacy risk, true, but at
least the passwords are safely hashed and hidden away in /etc/shadow.

Searching the CRAN mirror on GitHub for "/etc/passwd" gives quite a few
hits, and so does "getpwuid". There are likely other POSIX functions
that read /etc/passwd too. Any of highcharter's 68 dependencies could
be trying to read /etc/passwd directly or indirectly. (Could be fs,
could be some other package.)

If you run R -d gdb and let it crash, what does the backtrace say?

I think it's likely that the /etc/passwd access won't be easy to get
rid of, so if you don't want to give R access to it, you might want to
run it inside a container or a virtual machine.

--
Best regards,
Ivan

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.

[R] R library highcharter function highchart() execute with exception the apparmor read denied for /etc/passwd and /etc/group

2023-08-08 Thread Gu, Jay via R-help 
Dears,


I use the R library highcharter with ubuntu 18.04 and R 3.6.3. Recently, I 
upgraded to ubuntu 20.04 and R 4.3.1. And the version of library highcharter 
are both 0.9.4. Then I execute the function highchart() it always throw the 
exception that child process has died. And I checked the /var/log/kern.log and 
found below error:

Aug 7 08:37:50 ip-172-31-27-249 kernel: [2251703.494866] audit: type=1400 
audit(1691397470.399:739): apparmor="DENIED" operation="open" 
profile="managedr-profile" name="/etc/passwd" pid=159930 comm="R" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Aug 7 08:37:50 ip-172-31-27-249 kernel: [2251703.494871] audit: type=1400 
audit(1691397470.399:740): apparmor="DENIED" operation="open" 
profile="managedr-profile" name="/etc/group" pid=159930 comm="R" 
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

If I add below two lines in my apparmor profile it will resolve this issue. But 
I don't like to expose these two files to end user as it has potential risk.
/etc/passwd r,
/etc/group r,

I'd like to know if there is any solution to fix it without giving the read 
access for these two files /etc/passwd and /etc/group in the apparmor profile 
as I did with ubuntu 18.04 and R 3.6.3. Thanks!
Best Regards!
Jay Gu


[[alternative HTML version deleted]]

__
R-help@r-project.org mailing list -- To UNSUBSCRIBE and more, see
https://stat.ethz.ch/mailman/listinfo/r-help
PLEASE do read the posting guide http://www.R-project.org/posting-guide.html
and provide commented, minimal, self-contained, reproducible code.