[Apparmor-general] Overly tight subdomain profile broke my SSH key
Michael James
Michael.James at csiro.au
Mon Mar 26 01:24:33 MDT 2007
On Monday 26 March 2007 1:21 pm, John Johansen wrote:
> There are 2 variables that could be used here
> defined in /etc/apparmor.d/tunnables/home
> @{HOMEDIRS} is a list of directories where users home dirs are and
> @{HOME} is a list of user directories (currently defined using HOMEDIRS)
>
> so the rule would look like
> @{HOMEDIRS}/*/.ssh/authorized_keys{,2} r,
We need to minimise unexpected interdependencies!
For good reasons I have always had an extra level in the home dir path.
Now subdomain can't pick a home directory and keys stop working.
The variable @{HOMEDIRS} still needs to be loaded,
leaving the sysadmin liable to some unexpected failures.
What @{HOMEDIRS} is trying to say is "a home directory for a valid user".
Until apparmor can cope with that, how about allowing both
/home/*/.ssh/authorized_keys{,2} r,
/home/*/*/.ssh/authorized_keys{,2} r,
michaelj
--
Michael James michael.james at csiro.au
System Administrator voice: 02 6246 5040
CSIRO Bioinformatics Facility fax: 02 6246 5166
No matter how much you pay for software,
you always get less than you hoped.
Unless you pay nothing, then you get more.
More information about the Apparmor-general
mailing list