Ubuntu
maas-provision package

add apparmor profile for cobblerd

Bug #975442 reported by Jamie Strandboge
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
maas-provision (Ubuntu)
Fix Released
High
Andres Rodriguez
Ubuntu ubuntu-12.04
Precise
Fix Released
High
Andres Rodriguez
Ubuntu ubuntu-12.04

Bug Description

This is a tracking bug for a dependency of the maas MIR (bug #961344).

maas-provision is a code copy of cobbler, but it only uses a subset of cobbler functionality. cobbler is big, has several problem areas in the code and runs as root. Please add an apparmor profile for /usr/bin/cobblerd to the maas-provision package.

This profile should be reviewed by the security team.

See original description
Jamie Strandboge (jdstrand)
description: updated
Changed in maas (Ubuntu Precise):
milestone: none → ubuntu-12.04
status: New → Triaged
tags: added: rls-p-tracking
Revision history for this message
Julian Edwards (julian-edwards) wrote :

FTR, cobbler is being removed from maas in 12.04.1

Jamie Strandboge (jdstrand)
Changed in maas (Ubuntu Precise):
importance: Undecided → High
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The cobbler dependency has been dropped in favor of maas-provision. As such, retargeting this bug to maas-provision.

affects: maas (Ubuntu Precise) → maas-provision (Ubuntu Precise)
description: updated
Jamie Strandboge (jdstrand)
summary: - add apparmor profile for cobbler
+ add apparmor profile for cobblerd
Revision history for this message
Andres Rodriguez (andreserl) wrote :
Changed in maas-provision (Ubuntu Precise):
assignee: nobody → Andres Rodriguez (andreserl)
status: Triaged → In Progress
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks! The profile looks good except for this line:
# capabilities
capability dac_override,

Why is this needed? Does it function ok with this instead:
deny capability dac_override,

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is because of these lines:
./cobbler/sub_process.py: p = Popen(["id"], preexec_fn=lambda: os.setuid(100))
./koan/sub_process.py: p = Popen(["id"], preexec_fn=lambda: os.setuid(100))

'capability dac_override,' seems ok with this otherwise very restrictive profile. Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package maas-provision - 2.2.2-0ubuntu2

---------------
maas-provision (2.2.2-0ubuntu2) precise-proposed; urgency=low

  * debian/maas-provision.install: Do not install tftpd (LP: #985094)
  * Add apparmor profile (LP: #975442)
    - debian/usr.bin.cobblerd: Add profile.
    - debian/rules: Install profile.
    - debian/maas-provision.preinst: Disable profile on install.
 -- Andres Rodriguez <email address hidden> Fri, 20 Apr 2012 13:19:26 -0700

Changed in maas-provision (Ubuntu Precise):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.