sshd profile does not work out-of-the-box

AFAIK Ubuntu's sshd doesn't have the change_hat patch. That makes confining somewhat useless.

moving to openssh, since the patch is needed there?

(I'm currently evaluating apparmor, so would like to confine sshd)

And back to apparmor.. The profile does need some changes, but no modifications to openssh AIUI. Here's what I had to add:

  /etc/default/locale r,
  /var/cache/nscd/group r,
  /var/cache/nscd/passwd r,
  /etc/selinux/config r,
  /etc/selinux/default/seusers r,
  /etc/krb5.conf r,
  /etc/krb5.keytab k,
  /proc/filesystems r,
  /var/tmp/host_* rw,
  /var/run/motd r,
  /bin/dash Ux,
  /bin/zsh4 Ux,
  /tmp/krb5cc_* wk,
  capability dac_override,

some of those should probably be in abstractions/*

sorry, openssh tries to open krb5.conf with 'w::' mask for some reason, so in order to avoid these messages

type=APPARMOR_DENIED msg=audit(1233663334.360:7469): operation="inode_permission" requested_mask="w::" denied_mask="w::" fsuid=0 name="/etc/krb5.conf" pid=17575 profile="/usr/sbin/sshd"

it should have rw. 'r' is already set in abstractions/kerberosclient.

I disagree with Timo's assessment; the attempt to write to /etc/krb5.conf is from an access(2) check to _see_ if the file is writable. If the file _is_ writable, then the sshd server knows Kerberos is mis-configured and will _fail_. Of course, most of the time, the standard Unix DAC checks will forbid the write access, and sshd continues normally.

Perhaps abstractions/kerberosclient should be amended to have a deny rule for /etc/krb5.conf w, to silence this needless noise.

Sadly, the kernel LSM design doesn't allow LSM modules to know the difference between open("file", O_RDWR) and access('file", R_OK|W_OK); both result in the same call to an LSM module. (Which makes a certain amount of sense, but does mean polluting profiles with explicit 'deny' rules on access() checks done for safety's sake.)

I'm not using Kerberos here but I found the profiles from apparmor-profiles to still lack a few bits in Precise. I've attached the patch to get a working profile. The only thing that didn't work in my testing is SFTP when using "Subsystem sftp internal-sftp".

The attachment "Add missing capabilities/rules for usr.sbin.sshd" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

Simon,

Thanks for the patch to the sshd profile. After reviewing it and updating it to take into account of a couple of upstream changes to the profile, I've applied it to lp:apparmor, and will be included in the next major AppArmor release. It should also make it into Ubuntu 13.04.

Thanks!

This has been fixed in Ubuntu in the pending 14.04 LTS release.

Apparmor 2.9.0 has been released; closing.