Ubuntu
cups package

AppArmor warns about use of /dev/tty

Bug #348556 reported by Kees Cook
2
Affects Status Importance Assigned to Milestone
cups (Ubuntu)
Fix Released
Undecided
Martin Pitt
Ubuntu ubuntu-9.04

Bug Description

Binary package hint: cups

Mar 23 08:11:59 laptop kernel: [4052506.657084] type=1503 audit(1237821119.433:13): operation="inode_permission" requested_mask="::rw" denied_mask="::rw" fsuid=7 name="/dev/tty" pid=32442 profile="/usr/sbin/cupsd"

As I understand it, this is not a desired access, but it does show up in the logs and might make people thing something unexpected is happening. This warning can be silenced by adding the following to the cupsd profile:

  deny /dev/tty rw,

Revision history for this message
Kees Cook (kees) wrote :

When fixing this, perhaps also add:
  deny /etc/krb5.conf w,
as well to fix the other half of bug 324645?

Changed in cups (Ubuntu):
assignee: nobody → pitti
status: New → Triaged
Kees Cook (kees)
Changed in cups (Ubuntu):
milestone: none → ubuntu-9.04
Revision history for this message
Martin Pitt (pitti) wrote :

Ah, I didn't know about "deny" (it's not in the manpage), thanks for the hint. Committed.

Changed in cups (Ubuntu):
status: Triaged → Fix Committed
Revision history for this message
Kees Cook (kees) wrote : Re: [Bug 348556] Re: AppArmor warns about use of /dev/tty

On Thu, Mar 26, 2009 at 07:55:43AM -0000, Martin Pitt wrote:
> Ah, I didn't know about "deny" (it's not in the manpage), thanks for the
> hint. Committed.

Ah, good point. I have open bug 349049 to track that.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cups - 1.3.9-16

---------------
cups (1.3.9-16) unstable; urgency=low

  [ Till Kamppeter ]
  * debian/local/filters/pdf-filters/pdftopdf/P2PResources.cxx: Fixed
    corruption of output when generating mmultiple copies of EOG or GIMP
    output files (LP: #345183).
  * debian/cups.postinst: Silenced non-fatal error messages when
    post-instyall script updates PPDs and there are PPDs not belonging to
    a CUPS queue in /etc/cups/ppd/ (LP: #345866).

  [ Martin Pitt ]
  * debian/local/apparmor-profile: Drop 'm' permission for /etc/passwd and
    friends, which was a workaround for a kernel apparmor bug on i386. This is
    fixed in current kernels. Thanks to Kees Cook for pointing this out!
    (LP: #270663)
  * debian/cups.install: Do not install the unnecessary (and broken) D-BUS
    configuration file any more. All cupsd does is to send signals, which are
    allowed by default. It does not provide any D-BUS service right now. Also
    remove the obsolete file on upgrades in debian/cups.preinst.
    (Closes: #510634, LP: #318742)
  * Add logfiles_adm_readable.dpatch: Make log files readable by group "adm".
    (LP: #345953)
  * debian/changelog: Fix cruft at the end of file.
  * debian/local/apparmor-profile: Explicitly deny access to /dev/tty and
    writing access to /etc/krb5.conf, so that accesses to them do not create
    log spewage. (LP: #348556)

 -- Martin Pitt <email address hidden> Fri, 27 Mar 2009 09:35:56 +0100

Changed in cups (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.