Bug 143423

Summary: sshd profile is incompleete and does work only for default configurations.
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Olli Artemjev <grey-olli>
Component: AppArmorAssignee: Seth R Arnold <seth.arnold>
Status: RESOLVED WONTFIX QA Contact: Dominic W Reynolds <dreynolds>
Severity: Major    
Priority: P3 - Medium Keywords: accessibility, Fix_No_Build
Version: Final   
Target Milestone: ---   
Hardware: i686   
OS: SuSE Linux 10.0   
Whiteboard:
Found By: Customer Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Olli Artemjev 2006-01-16 23:23:53 UTC 
The apparmor is _very_ dampish. :/ At least system loginh related daemons could be checked before getting this in the wild. :|
Look:
Jan 17 02:11:12 skylab kernel: SubDomain: REJECTING x access to /bin/login (sshd(13063) profile /usr/sbin/sshd active /usr/sbin/sshd)

The only thing I did is custom sshd configuration. :/ Inserted AllowUsers and 'UseLogin yes' .

Many other errors appear:
Jan 17 02:13:16 skylab kernel: SubDomain: REJECTING access to capability 'dac_override' (sshd(13067) profile /usr/sbin/sshd active /usr/sbin/sshd)
Jan 17 02:13:16 skylab kernel: SubDomain: REJECTING access to capability 'dac_read_search' (sshd(13067) profile /usr/sbin/sshd active /usr/sbin/sshd)
Jan 17 02:11:12 skylab sshd[13058]: Accepted keyboard-interactive/pam for olli from 192.168.3.1 port 7596 ssh2
Jan 17 02:11:12 skylab sshd[13063]: error: /dev/pts/23: Permission denied
Jan 17 02:11:12 skylab sshd[13063]: error: open /dev/tty failed - could not set controlling tty: No such device or address
Comment 1 Dominic W Reynolds 2006-01-31 00:59:06 UTC 
Seth does this seem like a reasonable addition for the sshd profile?
Comment 2 Seth R Arnold 2006-02-07 02:25:55 UTC 
Dominic, on the whole, I'd rather prepare an update that removes the sshd profile.
Comment 3 Seth R Arnold 2007-01-26 01:00:05 UTC 
Sorry for the long period of inactivity, Olli. I simply don't have the time necessary to release fixed packages for our older distributions.

In this case, I'm inclined to leave the permissions in our profile as they are -- a profile for sshd only makes sense when change_hat is being used. Since using /bin/login means our pam_apparmor cannot be used, the security value of this profile is pretty minimal.

Thanks for your feedback Olli.