Merge ~sergiodj/ubuntu/+source/sssd:bug1910611-update-apparmor-groovy into ubuntu/+source/sssd:ubuntu/groovy-devel

Proposed by Sergio Durigan Junior
Status: Merged
Approved by: Sergio Durigan Junior
Approved revision: cb78c9c4232e6d61551fb659268ad550e0b13ee7
Merged at revision: cb78c9c4232e6d61551fb659268ad550e0b13ee7
Proposed branch: ~sergiodj/ubuntu/+source/sssd:bug1910611-update-apparmor-groovy
Merge into: ubuntu/+source/sssd:ubuntu/groovy-devel
Diff against target: 36 lines (+13/-0)
2 files modified
debian/apparmor-profile (+5/-0)
debian/changelog (+8/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  Needs Fixing
Canonical Server Team Pending
Review via email:

Description of the change

This is the fix for bug 1910611 on Groovy.

The sssd apparmor profile is outdated with regards to a few aspects:

- It doesn't allow the execution of binaries under /usr/libexec/sssd/*

- It doesn't allow sssd to read configuration files under /etc/sssd/conf.d/*

- It doesn't allow sssd to read files under /etc/gss/mech.d/*

The original bug only complained about the first item, but while investigating I found the other two issues, so I'm fixing them as well.

Here's a PPA with the proposed package:

And autopkgtest is still happy:

autopkgtest [17:48:05]: @@@@@@@@@@@@@@@@@@@@ summary
ldap-user-group-ldap-auth PASS
ldap-user-group-krb5-auth PASS

To post a comment you must log in.
Christian Ehrhardt  (paelzer) wrote :

Fine - as the other one I've reviewed - +1.

TBH since the profile is default-off and config-change-to-fix the SRU Team might disagree that it is SRU-worthy (I'd think it is, but prepare for a discussion).

review: Approve
Christian Ehrhardt  (paelzer) wrote :

actually I'm slightly concerned about this (not part of the MP, but the context):

 sssd | 2.3.1-3 | groovy | source, amd64, arm64, armhf, ppc64el, riscv64, s390x
 sssd | 2.3.1-3ubuntu1 | groovy-proposed | arm64
 sssd | 2.3.1-3ubuntu2 | groovy-proposed | source, amd64, armhf, ppc64el, riscv64, s390x

2.3.1-3ubuntu1 was incomplete
2.3.1-3ubuntu2 has an odd armhf build fail (not present in this PPA build)

But since nothing ever left proposed - how about to cancel both from proposed and to do a single
"2.3.1-3ubuntu0.1" for bugs 1900642 + 1910611 ?

review: Needs Fixing
Sergio Durigan Junior (sergiodj) wrote :

Thanks for the review.

So, I was also not happy with the mistake I've made regarding the version number for sssd on Groovy, so I had a chat with Robie. He told me that it is OK to have the version as 2.3.1-3ubuntu2. I've just confirmed with him on the channel:

"<racb> | I'm not sure about 0.1. Need an AA to check. 3 is certain to work assuming it won't collide with Hirsute."

Since the SRU for 1900642 has already been approved & verified, I think it's fine to keep this as a separate fix.

As for the armhf build failure, I've also retriggered the build and it succeeded now. Thanks for catching that!

I won't go ahead with the upload because I'd like to hear if you're OK with keeping things as-is, or if you want me to pursue fixing the version number.

Christian Ehrhardt  (paelzer) wrote :

I'm ok if SRU-Team says they don't bother - which Robie did.
So yeah - go on - and have fun ...

Sergio Durigan Junior (sergiodj) wrote :

Thanks, Christian.


$ git push pkg upload/2.3.1-3ubuntu3
Enumerating objects: 13, done.
Counting objects: 100% (13/13), done.
Delta compression using up to 8 threads
Compressing objects: 100% (9/9), done.
Writing objects: 100% (9/9), 1.25 KiB | 182.00 KiB/s, done.
Total 9 (delta 6), reused 0 (delta 0)
To ssh://
 * [new tag] upload/2.3.1-3ubuntu3 -> upload/2.3.1-3ubuntu3

$ dput sssd_2.3.1-3ubuntu3_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/sssd/sssd_2.3.1-3ubuntu3_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/sssd/sssd_2.3.1-3ubuntu3.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to
  Uploading sssd_2.3.1-3ubuntu3.dsc: done.
  Uploading sssd_2.3.1-3ubuntu3.debian.tar.xz: done.
  Uploading sssd_2.3.1-3ubuntu3_source.buildinfo: done.
  Uploading sssd_2.3.1-3ubuntu3_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/apparmor-profile b/debian/apparmor-profile
2index c5f3658..ecf5f7d 100644
3--- a/debian/apparmor-profile
4+++ b/debian/apparmor-profile
5@@ -25,10 +25,15 @@
6 /etc/localtime r,
7 /etc/shells r,
8 /etc/sssd/sssd.conf r,
9+ /etc/sssd/conf.d/ r,
10+ /etc/sssd/conf.d/** r,
11+ /etc/gss/mech.d/ r,
12+ /etc/gss/mech.d/** r,
14 /usr/lib/@{multiarch}/ldb/modules/ldb/* m,
15 /usr/lib/@{multiarch}/samba/ldb/* m,
16 /usr/lib/@{multiarch}/sssd/* rix,
17+ /usr/libexec/sssd/* rmix,
18 /usr/sbin/sssd rmix,
20 /tmp/{,.}krb5cc_* rwk,
21diff --git a/debian/changelog b/debian/changelog
22index 4402380..2b372d3 100644
23--- a/debian/changelog
24+++ b/debian/changelog
25@@ -1,3 +1,11 @@
26+sssd (2.3.1-3ubuntu3) groovy; urgency=medium
28+ * d/apparmor-profile: Update profile. (LP: #1910611)
29+ - Extend read permissions to /etc/sssd/conf.d/* and /etc/gss/mech.d/*.
30+ - Add read/execute permission to /usr/libexec/sssd/*.
32+ -- Sergio Durigan Junior <> Mon, 18 Jan 2021 16:56:21 -0500
34 sssd (2.3.1-3ubuntu2) groovy; urgency=medium
36 * d/p/0003-Only-start-sssd.service-if-there-s-a-configuration-f.patch:


People subscribed via source and target branches