Results 1 to 7 of 7

Thread: Guest account locked down with Apparmor?

  1. #1
    Join Date
    Jan 2007
    Beans
    6,542
    Distro
    Ubuntu 13.04 Raring Ringtail

    Guest account locked down with Apparmor?

    I've just upgraded my netbook to Precise. The guest account is no longer able to access assets mounted by another user. I'd like to switch that back to the previous behaviour, where the guest accoutn could access something mounted to /media by another user.

    Is this done through Apparmor? I've had a quick look at the guest account profile at /etc/apparmor.d/lightdm-guest-session but I'm not sure what I'm doing.

  2. #2
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Guest account locked down with Apparmor?

    Check the logs and add a rule

    http://ubuntuforums.org/showthread.php?t=1008906
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  3. #3
    Join Date
    Jan 2007
    Beans
    6,542
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Guest account locked down with Apparmor?

    Quote Originally Posted by bodhi.zazen View Post
    Since the default behaviour for users is to allow this, surely it'd be a matter of deleting the rule that precludes it in the special case of the guest account?

    The guest account profile is here:
    Code:
    # vim:syntax=apparmor
    # Profile for restricting lightdm guest session 
    # Author: Martin Pitt <martin.pitt@ubuntu.com>
    
    #include <tunables/global>
    
    /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper {
      #include <abstractions/authentication>
      #include <abstractions/nameservice>
      #include <abstractions/wutmp>
      /etc/compizconfig/config rw, # bug in compiz https://launchpad.net/bugs/697678
     
      / r,
      /bin/ rmix,
      /bin/fusermount Px,
      /bin/** rmix,
      /cdrom/ rmix,
      /cdrom/** rmix,
      /dev/ r,
      /dev/** rmw, # audio devices etc.
      owner /dev/shm/** rmw,
      /etc/ r,
      /etc/** rmk,
      /etc/gdm/Xsession ix,
      /lib/ r,
      /lib/** rmixk,
      /lib32/ r,
      /lib32/** rmixk,
      /lib64/ r,
      /lib64/** rmixk,
      owner /media/ r,
      owner /media/** rmwlixk,  # we want access to USB sticks and the like
      /opt/ r,
      /opt/** rmixk,
      @{PROC}/ r,
      @{PROC}/* rm,
      @{PROC}/asound rm,
      @{PROC}/asound/** rm,
      @{PROC}/ati rm,
      @{PROC}/ati/** rm,
      owner @{PROC}/** rm,
      # needed for gnome-keyring-daemon
      @{PROC}/*/status r,
      /sbin/ r,
      /sbin/** rmixk,
      /sys/ r,
      /sys/** rm,
      /tmp/ rw,
      owner /tmp/** rwlkmix,
      /usr/ r,
      /usr/** rmixk,
      /var/ r,
      /var/** rmixk,
      /var/guest-data/** rw, # allow to store files permanently
      /var/tmp/ rw,
      owner /var/tmp/** rwlkm,
      /{,var/}run/ r,
      # necessary for writing to sockets, etc.
      /{,var/}run/** rmkix,
      /{,var/}run/shm/** wl,
    
      capability ipc_lock,
    
      # silence warnings for stuff that we really don't want to grant
      deny capability dac_override,
      deny capability dac_read_search,
      #deny /etc/** w, # re-enable once LP#697678 is fixed
      deny /usr/** w,
      deny /var/crash/ w,
    }
    But I don't understand why this is blocking access to /media, since everything in /media seems to be listed as rmwlixk.

  4. #4
    Join Date
    Mar 2011
    Beans
    669

    Re: Guest account locked down with Apparmor?

    The /media/ has an owner conditional attached. That means that the program/ user can only access files that it has created. Removing the owner conditional would likely fix this issue, though obviously it is less secure.

  5. #5
    Join Date
    Apr 2006
    Location
    Montana
    Beans
    Hidden!
    Distro
    Kubuntu Development Release

    Re: Guest account locked down with Apparmor?

    Quote Originally Posted by Hungry Man View Post
    The /media/ has an owner conditional attached. That means that the program/ user can only access files that it has created. Removing the owner conditional would likely fix this issue, though obviously it is less secure.
    Nice one ^^
    There are two mistakes one can make along the road to truth...not going all the way, and not starting.
    --Prince Gautama Siddharta

    #ubuntuforums web interface

  6. #6
    Join Date
    Jan 2007
    Beans
    6,542
    Distro
    Ubuntu 13.04 Raring Ringtail

    Re: Guest account locked down with Apparmor?

    Quote Originally Posted by Hungry Man View Post
    The /media/ has an owner conditional attached. That means that the program/ user can only access files that it has created. Removing the owner conditional would likely fix this issue, though obviously it is less secure.
    Thanks a lot, that has indeed done the trick!

  7. #7
    Join Date
    Mar 2011
    Beans
    669

    Re: Guest account locked down with Apparmor?

    You might want to consider a

    /media/ r,
    rule

    and a
    owner /media/ rmwlixk,

    rule

    That way anyone can read but only the owner of the files can perform other actions.

    This is safer.

    If you need it to be anyone modifying the data though you can just leave it as is.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •