[Bug 324645] Re: Hardy i386 Cupsd crash with SIGSEGV with PAM/Kerberos Auth

Tim Southerwood Sat, 14 Feb 2009 13:00:27 -0800

-- I emailed a reply but it didn;t appear, so I'm posting the text
straight in


Hi Martin,

Sure - here you go:

Martin Pitt wrote:
> > Can you please reproduce the situation that caused an error before, and
> > attach /var/log/kern.log? This will show me the exact violations that
> > cause this. Thanks!
> > 
> > ** Changed in: cupsys (Ubuntu)
> >      Assignee: (unassigned) => Martin Pitt (pitti)
> >        Status: New => Incomplete
> > 

1st level failure after aa-enforce /usr/sbin/cups; /etc/init.d/cupsys
restart and then try to log into a secure cups page:

2009/02/13 09:41:07 notice      kern    rodan   kernel: [558478.665721]
audit(1234518067.729:18151): type=1503 operation="inode_permission"
requested_mask="a::" denied_mask="a::" name="/dev/tty" pid=12486
profile="/usr/sbin/cupsd" namespace="default"
2009/02/13 09:41:07 notice      kern    rodan   kernel: [558478.665903]
audit(1234518067.729:18152): type=1503 operation="inode_permission"
requested_mask="w::" denied_mask="w::" name="/etc/krb5.conf" pid=12486
profile="/usr/sbin/cupsd" namespace="default"


----

Then I add "/etc/krb5.conf r," to app-armour for usr.sbin.cupsd

Rinse, lather, repeat and we get:

2009/02/13 09:45:33 notice      kern    rodan   kernel: [558743.850245]
audit(1234518333.342:18155): type=1503 operation="file_lock"
requested_mask="k::" denied_mask="k::" name="/etc/krb5.keytab" pid=12702
profile="/usr/sbin/cupsd" namespace="default"


So I add

/etc/krb5.keytab k,

(what's "k")?
----

Then we get:
2009/02/13 09:48:28 notice      kern    rodan   kernel: [558918.559183]
audit(1234518508.333:18172): type=1503 operation="file_lock"
requested_mask="wk::" denied_mask="k::" name="/tmp/krb5cc_pam_CBTQ2A"
pid=13023 profile="/usr/sbin/cupsd" namespace="default"

(which is the kerberos ticket cache)

*Don't* assume the form of the name of that temp file - it's
configurable.

So I add:
/tmp/** rkw,

-----

Re-init and that *seems* to work.

Kerberos auth via PAM is now operational.

But, I have little understanding of apparmor so you may be able to see
sillyness in what I've done.

Cheers - and thanks  :)

Glad to be able to help make a great distro 0.0001% better  :)

Best wishes

Tim

-- 
Hardy i386 Cupsd crash with SIGSEGV with PAM/Kerberos Auth
https://bugs.launchpad.net/bugs/324645
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 324645] Re: Hardy i386 Cupsd crash with SIGSEGV with PAM/Kerberos Auth

Reply via email to