Bugzilla – Bug 143423
sshd profile is incompleete and does work only for default configurations.
Last modified: 2007-01-26 01:00:05 UTC
The apparmor is _very_ dampish. :/ At least system loginh related daemons could be checked before getting this in the wild. :| Look: Jan 17 02:11:12 skylab kernel: SubDomain: REJECTING x access to /bin/login (sshd(13063) profile /usr/sbin/sshd active /usr/sbin/sshd) The only thing I did is custom sshd configuration. :/ Inserted AllowUsers and 'UseLogin yes' . Many other errors appear: Jan 17 02:13:16 skylab kernel: SubDomain: REJECTING access to capability 'dac_override' (sshd(13067) profile /usr/sbin/sshd active /usr/sbin/sshd) Jan 17 02:13:16 skylab kernel: SubDomain: REJECTING access to capability 'dac_read_search' (sshd(13067) profile /usr/sbin/sshd active /usr/sbin/sshd) Jan 17 02:11:12 skylab sshd[13058]: Accepted keyboard-interactive/pam for olli from 192.168.3.1 port 7596 ssh2 Jan 17 02:11:12 skylab sshd[13063]: error: /dev/pts/23: Permission denied Jan 17 02:11:12 skylab sshd[13063]: error: open /dev/tty failed - could not set controlling tty: No such device or address
Seth does this seem like a reasonable addition for the sshd profile?
Dominic, on the whole, I'd rather prepare an update that removes the sshd profile.
Sorry for the long period of inactivity, Olli. I simply don't have the time necessary to release fixed packages for our older distributions. In this case, I'm inclined to leave the permissions in our profile as they are -- a profile for sshd only makes sense when change_hat is being used. Since using /bin/login means our pam_apparmor cannot be used, the security value of this profile is pretty minimal. Thanks for your feedback Olli.