[Apparmor-general] Overly tight subdomain profile broke my SSH key
John Johansen
jjohansen at suse.de
Sun Mar 25 21:21:06 MDT 2007
On Mon, Mar 26, 2007 at 12:42:27PM +1000, Michael James wrote:
> The profile in /etc/subdomain.d/program-chunks/user-ssh-keys
> won't work for home directories anywhere but /home/<user>
>
> So if you use the /home/<group>/<user>/ location for home dirs,
> subdomain will deny r access to ~/.ssh/authorized_keys
> and automatic logins won't work.
>
> IMHO the profile should be amended from:
> /home/*/.ssh/authorized_keys{,2} r,
> to:
> /home/**/.ssh/authorized_keys{,2} r,
>
The use of ** is perhaps a little overly broad here. The solution that
we have been aiming to deply is the use of, the yet to be properly
documented, variables. There are 2 variables that could be used here
defined in /etc/apparmor.d/tunnables/home
@{HOMEDIRS} is a list of directories where users home dirs are and
@{HOME} is a list of user directories (currently defined using HOMEDIRS
so the rule would look like
@{HOMEDIRS}/*/.ssh/authorized_keys{,2} r,
or
@{HOME}/.ssh/authorized_keys{,2} r,
> The extra * seems (I tested it but haven't read the doco)
> to allow any number of intervening directories.
>
yes. * is globbing limited to a single directory so
/foo* - is anything in the directory starting with foo
/* - is anything in the directory
** is globbing that can cross multiple directory levels
/home/**/.ssh - would match
/home/foo/.ssh
/home/foo/bar/.ssh
/home/foo/bar/yet/more/levels/.ssh
but it will not match /home/.ssh to do that you would need /home/**.ssh
> Is this the correct forum so submit this suggestion?
>
yes it is thanks for the feed back.
jjohansen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://forge.novell.com/pipermail/apparmor-general/attachments/20070325/8e4bf209/attachment.pgp
More information about the Apparmor-general
mailing list