Bug#975951: libreoffice tries to access files of firefox profiles (AppArmor)
severity 975951 minor
tag 975951 upstream
forwarded 975951 https://bugs.documentfoundation.org/show_bug.cgi?id=119811
retitle 975951 libreoffice tries to access files of firefox profiles
notfound 975951 1:7.0.3-4+b1
thanks
Hi,
> Package: libreoffice
No, libreoffice does not contain anything except dependencies. Do you mean libreoffice-core?
Sorry, that it hits you, but why can't people just file against the correct package? "libreoffice"
clearly says it's a dummy package.
> Severity: normal
Sigh.
How it is a bug when LO does what it's supposed to do in case people want to
sign their documents (with S/MIME, gpg is something else) *and which is documented*?
https://help.libreoffice.org/4.4/Common/Applying_Digital_Signatures
(of course also valid for later versions, this is just a result of googling.)
https://wiki.openoffice.org/wiki/How_to_use_digital_Signatures
That's what it is for. Signing documents with S/MIME.
> I'm seeing many entries like these in my log:
If you look at your logs (which is good) I would also expect you being able to do a basic resarch
(see above) instead of filing a "bug" which then will linger around until eternity :-(
> operation="open" profile="libreoffice-soffice" name="/home/joerg/.mozilla/firefox/aelzkv52.dev/cert9.db" pid=486621 comm="soffice.bin" requested_mask="wc" denied_mask="wc" fsuid=1000 ouid=1000
> operation="file_lock" profile="libreoffice-soffice" name="/home/joerg/.mozilla/firefox/aelzkv52.dev/cert9.db" pid=486621 comm="soffice.bin" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
Access to the Mozilla profile is completely expected in how it's
(The apparmor profiles allow "r", not "w". (Have to lookup what "c" is.) which is correct since
LO should only be able to read the certs).
Key *management* is something LO should not do and cannot do anyway. (same with gpg)
> operation="open" profile="libreoffice-soffice" name="/home/joerg/.mozilla/firefox/aelzkv52.dev/key4.db" pid=486621 comm="soffice.bin" requested_mask="wrc" denied_mask="wrc" fsuid=1000 ouid=1000
> operation="file_lock" profile="libreoffice-soffice" name="/home/joerg/.mozilla/firefox/aelzkv52.dev/key4.db" pid=486621 comm="soffice.bin" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000
Oh, that one's new.
I added the cert?.db ones once.
Since when does LO (and/or nss and or libxmlsec-nss) want key4.db, too?
(But I'd only allow r anyways.)
I guess I need to check whether signing works when the profile is in
enforcing again...
> LibreOffice tries to access the key storage of Firefox, which is really
> strange.
No, it isn't.
A few minutes' research would have shown you that it uses nss and the
certificates from Firefox (or Thundebird or SeaMonkey..):
https://www.google.com/search?q=libreoffice+firefox+profile&rlz=1C1GCEU_deDE843DE846&oq=libreoffi&aqs=chrome.1.69i60j69i59j69i57j69i60l3j69i65j69i60.2319j0j7&sourceid=chrome&ie=UTF-8
Second and fourth hit.
(That also shows https://bugs.documentfoundation.org/show_bug.cgi?id=119811
where an other user just reports a "bug" because of something unexepctedly
("no visiable reasons"...)
Yes, it's
Marking as forwarded to this "bug" though.
> Isn't it possible to use the keys in /etc/ssl?
a) as said it uses nss instead of the "standard" openssl, and has to use
what nss expects
b) how are you going to add signing certificates as user to /etc/ssl without
being root?
How does a end-user know (s)he needs to add stuff there? There (ttbomk) unfortunately also is no standardized patch for certs in users' $HOMEs.
And (unfortunately) LO wants to cater for end-users with no clue instead of
doing the correct thing(tm).
Regards,
Rene
Reply to: