cannot create directory outside of $HOME

Thank you for using Ubuntu and taking the time to report a bug. This path is:
Decoded: /windows/Documents and Settings/Dave/My Documents/test/

AppArmor has denied access to this directory because it is not a standard location for files, therefore you must adjust your profile to allow access to the /windows folder. This can be done by adding the following to /etc/apparmor.d/usr.bin.evince:
  /windows/** rw,

Followed by:
$ sudo apparmor_parser -r -T -W /etc/apparmor.d/usr.bin.evince

Keep in mind that if there is a flaw in evince or (much more likely) one of the image/PDF libraries, opening a malicious file could allow an attacker to write to this directory. See http://en.opensuse.org/AppArmor_Geeks#Anatomy_of_a_Profile for more information on AppArmor profiling.

I should clarify the position. /windows is a non-FHS directory that will not be supported by the shipped file (but can of course be adjusted by the user). FHS directories like /mnt and /media should be supported. I mistakenly thought this was already supported, but these are not. I adjust the profile accordingly.

Jamie

All well and good, but

(1) this is going to affect everybody who has a Windows partition
mounted on anything but /home. That does not seem very user-friendly.

(2) AFAICS, in apparmor, every different application will have its own
settings. The old way: I could manage permissions in /etc/fstab. (If I
had to change them at all.) The new way: I have to manage permissions
using apparmor, application by application. So I have to learn an
obscure configuration file syntax. And if I get something wrong then I
open my system to vulnerabilities. This is far from "Linux for human
beings". It is also unlikely to ensure security. At the moment only I
can write to /windows: will your suggested workaround allow any user
of evince to do it? I don't know. But I'm tempted to apply the
workaround anyway, and ignore your thoughtful warning. Result: worse
security, because user behaviour has not been taken account of.

Cheers
David

just read this after my previous comment. it's good that by default
/media and /mnt will have these permissions. But... where did my
/windows directory come from? didn't ubuntu put it there? at least,
other people seem to have a /windows partition and I don't remember
making that naming decision myself.

David,

"At the moment only I can write to /windows: will your suggested workaround allow any user of evince to do it?" -- Normal discretionary access controls are still in effect. By adding the rule I mentioned to your profile, users will have read and write access to /windows if normal unix permissions allow it.

As for why /windows is there at all, I don't know. I do see in https://help.ubuntu.com/community/Fstab that the recommended place to mount your windows partition is /media/windows. If an Ubuntu application is creating and using directories outside of the Filesystem Hierarchy Standard (FHS), then that is a separate bug in that application. The evince AppArmor profile should support mountable media via FHS, and I will fix that.

Accepted evince into lucid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

After a clean install of Lucid, my windows directory is definitely mounted as /windows, and I made no choice about that... I will file a bug in the appropriate place.

David, are you able to test the update in lucid-proposed to check whether it fixes the crash you reported? The proposed update fixes five Ubuntu bugs, and this is the only one left unvalidated. Thanks in advance.

Hi Colin

I still get the same problem, but this is because my Windows drive is
mounted in a non-standard location, no?

David

This bug was fixed in the package evince - 2.30.1-0ubuntu3

---------------
evince (2.30.1-0ubuntu3) lucid-proposed; urgency=low

  [ Jamie Strandboge ]
  * debian/apparmor-profile.abstraction: allow writes to removable media
    (LP: #490230)

  [ Didier Roche ]
  * debian/patches/03_fix_opening_hash_filename.patch:
    Fix opening files with '#' in its name (LP: #578996)

evince (2.30.1-0ubuntu2) UNRELEASED; urgency=low

  * add debian/patches/02_fix_dot_dir_creation.patch:
    fix dot dir creation when launching evince directly (LP: #571725)

evince (2.30.1-0ubuntu1) UNRELEASED; urgency=low

  * New upstream release:
    Bug fixes:
    - Make inverted colors mode work in presentation mode too
      (#614693, Carlos Garcia Campos)
    - Respect GNOME22_USER_DIR env variable (#613637, Ray Strode)
    - Fix loading of local documents when uri contains a page
      destination (#616515, Carlos Garcia Campos)
    - Take default settings from last document opened. Fixes
      regression caused by migration to gio metadata (#606090, Carlos
      Garcia Campos) (LP: #544639, #503372)
    - Update icons to match gnome-icon-theme appearance (#614747,
      Hylke Bons, Carlos Garcia Campos)
    - Make sure there's a new valid page range before updating caches
      (fdo#27599, Carlos Garcia Campos)
    - Update FSF address everywhere (#514607, Arun Persaud)
    - Fix loading of compressed password-protected documents (#613959,
      Carlos Garcia Campos)
    - Close previewer window with control + w (#612972, Carlos Garcia
      Campos)
    - Fix keybindings in previewer window (#612972, Carlos Garcia
      Campos)
    Translation updates
 -- Didier Roche <email address hidden> Thu, 13 May 2010 16:31:06 +0200

I'm marking as 'verification-done' since the fix landed in lucid.