[pkg-apparmor] Bug#1111245: wrong profile for winbind
Michael Tokarev
mjt at tls.msk.ru
Sat Aug 16 07:11:19 BST 2025
Package: apparmor
Version: 4.1.0-1
Severity: normal
abstractions/winbind has rather strange and very outdated profile.
I'm assuming this is pam-winbind and nss-winbind, not winbind daemon -
because for the daemon, much more is needed.
I dont know where all these files listed in there are there. Neiter
pam nor winbind modules access these files. The only file they do
access is /run/samba/winbind/pipe - very long time ago it's been in
/tmp/.winbind/pipe, but it has been moved elsewhere (to /var/run,
later to /run) many years ago. And this is the path which is blocked
by current profile.
Without any prior knowlege of apparmor, I'd say this whole file should
have just one line:
@{run}/samba/winbind/pipe rw,
Note also that PAM-winbind is different from NSS-winbind - the pam stuff
is for authentication, which is usually done by a priviledged process.
So I *guess* it meant to be nss-winbind in comment, not pam-winbind.
I wonder how it went unnoticed for so many years.
This come to my attention as #1110985 - this one apparently also needs
an ability to create unix sockets (socket(AF_UNIX)) which is blocked
now, but I don't know how to enable this one. Any help with this bug
is appreciated.
Thanks,
/mjt
More information about the pkg-apparmor-team
mailing list