[Bug 1862331] Re: [upstream] mozilla cert8.db and key3.db are denied by apparmor
** Changed in: libreoffice (Ubuntu) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862331 Title: [upstream] mozilla cert8.db and key3.db are denied by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/df-libreoffice/+bug/1862331/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862331]
the UI btw would be "certutil" -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862331 Title: [upstream] mozilla cert8.db and key3.db are denied by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/df-libreoffice/+bug/1862331/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862331]
well, obviously the firefox profile is used because NSS wants to find its certificates for digital signing. I would also argue that it shouldn't request "w" permissions, but "r" is expected. I also suggested using ~/.pki/nssdb but... 16:41 < _rene_> is there any plan to be able to use ~/.pki/nssdb? (see https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX) 16:41 < _rene_> instead of the mozilla profile? 16:42 -!- hallnknight [~hallnknig@2401:4900:3b30:951d:983d:6f8:9c88:2aef] has joined #libreoffice-dev 16:42 < _rene_> (context: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975951 and https://bugs.documentfoundation.org/show_bug.cgi?id=119811) 16:42 < IZBot> bug 119811: LibreOffice-LibreOffice normal/medium NEW LibreOffice 6.0.6 spies on my Firefox keychain when opening MS documents 16:43 < mst___> _rene_, if there's some UI for users to add their certs to that location then sure 16:44 < _rene_> one can do so without a UI? not everything needs a UI? 16:44 < _rene_> at least make it honour that path in addition 16:45 < _rene_> mst___: users nowadays also don't use firefox :) 16:48 <@thorsten> _rene_: thought nss can only use one path? 16:49 < _rene_> no idea, can't one initialize nss two times and use one instance for firefox and the other for that one? 16:49 < _rene_> I mean, there must be more application not relying only on firefox? 16:50 <@thorsten> we had similar issues with thunderbird vs. firefox cert stores, 16:50 < _rene_> mmh 16:50 <@thorsten> IIRC the suggestion was for users to set the proper env var, 16:50 <@thorsten> and we're off the hook? 16:50 <@vmiklos> or just set their preferred path in LO, using tools -> options 16:51 < _rene_> but MOZILLA_CERTIFICATE_FOLDER if you mean that will expect a firefox profile and not work with ~/.pki/nssdb, will it? 16:52 <@vmiklos> you would have to check, possibly both just contain files like certX.db and keyY.db, so perhaps works out of the box 16:52 -!- OlegShtch [~Thunderbi@37.112.63.140] has joined #libreoffice-dev 16:52 < _rene_> ah, right, there's the "Options", didn't know 16:54 < _rene_> ok, related to this: 16:54 < _rene_> why does LO request w permissions? 16:54 < _rene_> r should simply suffice, shouldn't it? 16:55 < _rene_> or is this nss actually opening it? (I guess so...) 16:56 -!- hallnknight [~hallnknig@2401:4900:3b30:951d:983d:6f8:9c88:2aef] has quit [Ping timeout: 264 seconds] 16:56 -!- sberg [~sb...@dynamic-077-003-206-224.77.3.pool.telefonica.de] has quit [Quit: Leaving] 16:56 <@vmiklos> i guess ideally it should be read-only, right. 16:56 -!- hallnknight [~hallnknig@223.187.154.213] has joined #libreoffice-dev 16:57 * _rene_ writes that into https://bugs.documentfoundation.org/show_bug.cgi?id=119811 16:57 < IZBot> bug 119811: LibreOffice-LibreOffice normal/medium NEW LibreOffice 6.0.6 spies on my Firefox keychain when opening MS documents 16:57 < _rene_> (with the chat here cut'n'pasted) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862331 Title: [upstream] mozilla cert8.db and key3.db are denied by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/df-libreoffice/+bug/1862331/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862331] Re: [upstream] mozilla cert8.db and key3.db are denied by apparmor
** Bug watch added: Debian Bug tracker #975951 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=975951 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862331 Title: [upstream] mozilla cert8.db and key3.db are denied by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/df-libreoffice/+bug/1862331/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862331]
This is the update for all players exited for this just look site here https://fundecade.com/pyramid-solitaire great fun forever here to you seen the hurry to more enjoyments -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862331 Title: [upstream] mozilla cert8.db and key3.db are denied by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/df-libreoffice/+bug/1862331/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862331] Re: [upstream] mozilla cert8.db and key3.db are denied by apparmor
Feb 6 20:53:48 dinar-Lenovo-G580 kernel: [104675.599346] audit: type=1400 audit(1581011628.880:900): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/dinar/.mozilla/firefox/sge95l3o.default/cert8.db" pid=16630 comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 Feb 6 20:53:48 dinar-Lenovo-G580 kernel: [104675.600771] audit: type=1400 audit(1581011628.880:901): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/dinar/.mozilla/firefox/sge95l3o.default/key3.db" pid=16630 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862331 Title: [upstream] mozilla cert8.db and key3.db are denied by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/df-libreoffice/+bug/1862331/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862331] Re: [upstream] mozilla cert8.db and key3.db are denied by apparmor
Launchpad has imported 3 comments from the remote bug at https://bugs.documentfoundation.org/show_bug.cgi?id=119811. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2018-09-11T16:47:58+00:00 Libreoffice-a wrote: Description: When opening a docx,xlsx,pptx file, LibreOffice tries to access my Firefox's certificate store and keychain (as reported by default AppArmor rules provided by Canonical on Ubuntu 18.04) Said files has no digital signature to check, if it were the case, it would be required to use system's certificate store and/or seahorse's certificate store. Affected versions are 6.0.3 provided by Canonical and 6.0.6 provided by document foundation launchpad PPA. There are no visible reasons for LibreOffice to try to read anything from Firefox. Here are the logs produced by AppArmor when opening such files : home/Magissia/.mozilla/firefox/mwad0hks.default/cert8.db" pid=19509 comm="soffice.bin" requested_mask="w" denied_mask="w" fsuid=1000 ouid=1000 Sep 11 18:25:31 Marshmallow kernel: [18154.693846] audit: type=1400 audit(1536683131.498:70): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/home/Magissia/.mozilla/firefox/mwad0hks.default/key3.db" pid=19509 comm="soffice.bin" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000 Sep 11 18:25:40 Marshmallow kernel: [18163.215743] audit: type=1400 audit(1536683140.018:71): apparmor="ALLOWED" operation="open" profile="libreoffice-soffice" name="/proc/version" pid=19509 comm="soffice.bin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Steps to Reproduce: 1. Open any docx file created with Microsoft Word 2013 or superior 2. Enjoy invasion of privacy Actual Results: LibreOffice tries to read private files that has nothing to do with the document or LibreOffice Expected Results: Not reading Firefox's files when opening documents Reproducible: Always User Profile Reset: Yes OpenGL enabled: Yes Additional Info: Version: 6.0.6.2 Build ID: 1:6.0.6-0ubuntu0.18.04.1 Threads CPU : 2; OS : Linux 4.15; UI Render : par défaut; VCL: gtk3; Locale : fr-FR (fr_FR.UTF-8); Calc: group Reply at: https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1862331/comments/0 -------- On 2018-09-12T10:28:32+00:00 Thb-b wrote: *** This bug has been marked as a duplicate of bug 118593 *** Reply at: https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1862331/comments/1 On 2020-02-10T16:58:52+00:00 Olivier Tilloy wrote: I'm removing the duplicate status: bug 118593 is about loading xmlsecurity at startup even when not needed, whereas this one is a concern about what xmlsecurity does to access firefox's certificates DB. I'm not a security expert but this looks like a valid concern to me, especially since libreoffice requests write mode to cert8.db and key3.db. Is this really needed? Is there a design doc that explains why? Reply at: https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1862331/comments/4 ** Changed in: df-libreoffice Status: Unknown => Confirmed ** Changed in: df-libreoffice Importance: Unknown => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862331 Title: [upstream] mozilla cert8.db and key3.db are denied by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/df-libreoffice/+bug/1862331/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862331] Re: mozilla cert8.db and key3.db are denied by apparmor
Thanks for the report. It would be useful if you could share the exact apparmor denials here, for reference. https://bugs.documentfoundation.org/show_bug.cgi?id=119811 was marked as a duplicate of another upstream bug, incorrectly IMHO. ** Bug watch added: Document Foundation Bugzilla #119811 https://bugs.documentfoundation.org/show_bug.cgi?id=119811 ** Also affects: df-libreoffice via https://bugs.documentfoundation.org/show_bug.cgi?id=119811 Importance: Unknown Status: Unknown ** Summary changed: - mozilla cert8.db and key3.db are denied by apparmor + [upstream] mozilla cert8.db and key3.db are denied by apparmor -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862331 Title: [upstream] mozilla cert8.db and key3.db are denied by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/df-libreoffice/+bug/1862331/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862331] [NEW] mozilla cert8.db and key3.db are denied by apparmor
Public bug reported: libreoffice accesses firefox's cert8.db and key3.db, i have found this from apparmor log messages. i googled "libreoffice cert8.db key3.db" and have found out that seems libreoffice does this by design. see https://bugs.documentfoundation.org/show_bug.cgi?id=119811 , https://weekly-geekly.github.io/articles/357692/index.html . do you agree with this? then there should be allow rule, i think. if you do not, then should be a comment and / or deny rule. does libreoffice really need write access to these files? i think it can potentially add some bad certificates, and some sites would have verified sign then, while user has not added it to exceptions. i think if user have not secured his master password, it can be considered it is ok if some app can access his passwords. i think this pages also can be helpful: https://stackoverflow.com/questions/45126738/what-is-cert8-db-and-key3 -db-file , https://developer.mozilla.org/en- US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil , these are found by googling "cert8.db key3.db". this also can be helpful: https://en.wikipedia.org/wiki/Public_key_certificate . ** Affects: libreoffice (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862331 Title: mozilla cert8.db and key3.db are denied by apparmor To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libreoffice/+bug/1862331/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs