Comment 3 for bug 578922

Thanks for your response. My point 4 attempted to address your point:
4. the php application could have been protected with AppArmor, disallowing reads from /tmp

You cannot attribute a bug to AppArmor for a profile that does not exist. The AppArmor model is to confine processes, not data. Because apache does not have a profile in the default installation, AppArmor cannot confine it. Therefore it is not a bug in AppArmor but rather a missing security feature in distributions like Ubuntu that have AppArmor available but do not have a profile for a particular application, in this case apache. However, this is true of any system that doesn't have full labeling and confinement. Fedora happens to have policy for apache, but this attack would presumably work on Fedora if it was against a different application for which policy was not written (such as lighttpd). Simply put, one cannot bypass a rule that does not exist. The MySQL ruleset was not bypassed -- MySQL needs an area to write files and the ruleset allows that. Admittedly, it is a bug in the MySQL Debian/Ubuntu packaging that allows this attack to succeed and this will be addressed. If Apache shipped an enforcing profile which used the user-tmp abstraction as is, only then could you attribute that the intended AppArmor protections were bypassed. This bug highlights that the user-tmp abstraction is too loose for when people have profiled the applications involved and are depending on it to work to thwart chained attacks, and I committed a fix for that to trunk which requires 'owner' matching which should largely address this.

Fedora happens to have a MAC feature available in its distribution (see below for why Ubuntu made a different choice) for apache. Unfortunately, due to packaging practices in Ubuntu and Debian, it is very difficult to confine apache in a general enough fashion for users to install and use web applications that provides any significant security benefit. This is a known issue and something that is being worked on (it is on the Ubuntu security team's roadmap) in various ways. I won't go into those details further in this bug, but if you are interested, I encourage you to discuss this in the ubuntu-hardened mailing list and/or IRC channel.

AIUI, this vulnerability does not work on Fedora because apache is confined with SELinux. Apache in Ubuntu is not confined by AppArmor. In Fedora, users are often required to adjust SELinux policy to get their applications to work. In Ubuntu, we choose to not break those applications, but instead provide an example of how to confine a web application that administrators can use to opt into the AppArmor security feature. Our stance is that if a security feature breaks default and common configurations, users will turn off the feature. While it is possible to only disable the Apache profile, if people are frustrated enough by a too strict AppArmor profile, they will disable all of AppArmor on the system, which will weaken the system overall since there are several profiles enforced on a typical Ubuntu system (such as the aforementioned MySQL profile). This is a distribution choice.