Bugs in AppArmor usr.bin.sshd profile

Bug #817956 reported by Matthias Schmidt
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
Undecided
Jamie Strandboge

Bug Description

I run AppArmor (2.6.1-0ubuntu3) on Ubuntu natty amd64. I recently activated the usr.sbin.sshd profile (from apparmor-profiles, Version 2.6.1-0ubuntu3) and recognized that OpenSSH remote login is no longer working.

The following messages are visible in syslog:

kernel: [70383.925481] type=1400 audit(1311930435.095:50130): apparmor="DENIED" operation="open" parent=910 profile="/usr/sbin/sshd" name="/etc/default/locale" pid=6439 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
kernel: [70383.935676] type=1400 audit(1311930435.105:50131): apparmor="DENIED" operation="exec" parent=6439 profile="/usr/sbin/sshd" name="/bin/dash" pid=6444 comm="sshd" requested_mask="x" denied_mask="x" fsuid=0 ouid=0
[70383.935879] type=1400 audit(1311930435.105:50132): apparmor="DENIED" operation="open" parent=910 profile="/usr/sbin/sshd" name="/var/run/motd" pid=6439 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[70383.936056] type=1400 audit(1311930435.105:50133): apparmor="DENIED" operation="open" parent=910 profile="/usr/sbin/sshd" name="/etc/security/limits.d/" pid=6439 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[70383.936754] type=1400 audit(1311930435.105:50134): apparmor="DENIED" operation="open" parent=6439 profile="/usr/sbin/sshd" name="/etc/default/locale" pid=6445 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
[70383.938703] type=1400 audit(1311930435.105:50135): apparmor="DENIED" operation="exec" parent=6445 profile="/usr/sbin/sshd" name="/bin/zsh4" pid=6446 comm="sshd" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
[70383.940877] type=1400 audit(1311930435.115:50136): apparmor="DENIED" operation="open" parent=910 profile="/usr/sbin/sshd" name="/etc/default/locale" pid=6439 comm="sshd" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

The messages from sshd in /var/log/auth.log are as follows:

sshd[9593]: Accepted publickey for matthias from ::1 port 34353 ssh2
sshd[9593]: pam_env(sshd:setcred): Unable to open env file: /etc/default/locale: Permission denied
sshd[9593]: pam_unix(sshd:session): session opened for user matthias by (uid=0)
 sshd[9593]: pam_limits(sshd:session): Could not set limit for 'nproc' to soft=-1, hard=-1: Operation not permitted; uid=0,euid=0
 sshd[9593]: pam_limits(sshd:session): Could not set limit for 'nice' to soft=20, hard=20: Operation not permitted; uid=0,euid=0
sshd[9600]: pam_env(sshd:setcred): Unable to open env file: /etc/default/locale: Permission denied
sshd[9600]: Received disconnect from ::1: 11: disconnected by user
sshd[9593]: pam_unix(sshd:session): session closed for user matthias
sshd[9593]: pam_env(sshd:setcred): Unable to open env file: /etc/default/locale: Permission denied

The message as seen by the user is as follows:

% ssh localhost
Last login: Fri Jul 29 11:26:19 2011 from localhost
/bin/zsh: Permission denied
Connection to localhost closed.

I changed the profile to fix these issues. Its attached to the bug report.

Tags: apparmor sshd
Revision history for this message
Matthias Schmidt (mschmidt) wrote :
Changed in apparmor (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.0 KiB)

This bug was fixed in the package apparmor - 2.7.0-0ubuntu1

---------------
apparmor (2.7.0-0ubuntu1) precise; urgency=low

  * New upstream release. Fixes the following:
    - LP: #794974
    - LP: #815883
    - LP: #840973
  * Drop the following patches, included upstream:
    - af_names-generation.patch
    - 0004-adjust-logprof-log-search-order.patch
    - 0005-lp826914.patch
    - 0006-lp838275.patch
    - 0007-fix-introspection-tests.patch
  * Rename 0003-add-debian-integration-to-lighttpd.patch to 0002
  * debian/patches/0003-commits-through-r1882.patch: several bug,
    documentation and performance fixes on our road to AppArmor 2.8
    (LP: #840734, LP: #905412)
  * debian/patches/0004-lp887992.patch: cups-client abstraction should allow
    owner read of @{HOME}/.cups/client.conf and @{HOME}/.cups/lpoptions
    (LP: #887992)
  * update debian/patches/0001-add-chromium-browser.patch for deeper
    directories of /sys/devices/pci (LP: #885833)
  * debian/patches/0005-lp884748.patch: allow kate as text editor in the
    browsers abstraction (LP: #884748)
  * debian/patches/0006-lp870992.patch: abstractions/fonts should allow access
    to ~/.fonts.conf.d (LP: #870992)
  * debian/patches/0007-lp860856.patch: allow read access to sitecustomize.py
    in the python abstraction, which is needed for apport hooks to work in
    python applications (LP: #860856)
  * debian/patches/0008-lp852062.patch: update binaries for transmission
    clients (LP: #852062)
  * debian/patches/0009-lp851977.patch: allow ixr access to exo-open for
    Xubuntu and friends (LP: #851977)
  * debian/patches/0010-lp890894.patch: allow access to Thunar as well as
    thunar in ubuntu-integration abstraction (LP: #890894)
  * debian/patches/0011-lp817956.patch: update usr.sbin.sshd example profile
    (LP: #817956)
  * debian/patches/0012-lp458922.patch: update dovecot deliver profile to
    access various .conf files for dovecot (LP: #458922)
  * debian/patches/0013-lp769148.patch: allow avahi to do dbus introspection
    (LP: #769148)
  * debian/patches/0014-lp904548.patch: fix typo for multiarch line for gconv
    (LP: #904548)
  * debian/patches/0015-lp712584.patch: Nvidia users need access to
    /dev/nvidia* files for various plugins to work right. Since these are all
    focused around multimedia, add the acceses to the multimedia abstraction.
    (LP: #712584)
  * debian/patches/0016-lp562831.patch: allow fireclam plugin to work
    (LP: #562831)
  * debian/patches/0017-lp662906.patch: allow software-center in the ubuntu
    integration browser abstraction (LP: #662906)
  * debian/patches/0018-deny-home-pki-so.patch: update private-files
    abstraction to deny write and link to ~/.pki/nssdb/*so files (LP: #911847)
  * debian/patches/0019-lp899963.patch: add audacity to the
    ubuntu-media-players abstraction (LP: #899963)
  * debian/patches/0020-lp912754a.patch,0021-lp912754b.patch: add p11-kit
    abstraction and add it to the authentication abstraction (LP: #912754)
  * debian/patches/0022-workaround-lp851986.patch: instead of using Ux
    in the ubuntu and launchpad abstractions, use a helper child profile.
    This will help work around the lack of en...

Read more...

Changed in apparmor (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.