[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Apparmor pain

On Fri 29 Jan 2021 at 14:21:07 (+0000), Tony van der Hoff wrote:
> On 29/01/2021 13:27, Reco wrote:
> > On Fri, Jan 29, 2021 at 12:49:42PM +0000, Tony van der Hoff wrote:
> > > This is a simplified scenario: Say I have 2 machines, both running Debian 10.7. Each machine has 3 users: A, B and C. Each machine has an identical (mantained
> > > by Unison) directoery: /home/C/pictures, with permissions ugo:rwx owned by C. Each file therein has permissions ugo:r
> > ...
> > > I don't understand why my two machines are behaving so differently.
> > 
> > uid difference between hosts A and B, most probably.
> > Along the other things, thunderbird's apparmor policy contains this:
> > 
> >      owner @{HOME}/** r,
> > 
> > I.e. it's allowed to read any file at /home as long as the file is owned
> > by thunderbird's uid.

I'm assuming that you mean a file owned by the user who's running TB,
not that TB owns it. (Why would you want TB to own your own mail.)

> > […]

> > Disabling a problematic apparmor profile altogether is done by:
> > 
> > /usr/sbin/aa-disable /usr/bin/thunderbird
> > 
> > Disabling a problematic apparmor profile but keeping audit records
> > generation is done by
> > 
> > /usr/sbin/aa-complain /usr/bin/thunderbird
> Thanks, Reco, that was just the information I needed. I had to install
> apparmor-utils, but otherwise aa-disable did the job.

Note that this change does not fix the problem of administering a
group of machines with different users' userids, assuming that
that actually *was* the underlying cause. Many utilities will cope
because they communicate with usernames, but archive files and
filesystems that are shared between machines will employ numeric
IDs, which convey the wrong information. Fixing apparmor just treats
one symptom.

(It's usual for different machines to have different *system* UIDs and
GIDs, except for a very short list. That's a different kettle of fish.)


Reply to: