debcrafters-packages team mailing list archive
-
debcrafters-packages team
-
Mailing list archive
-
Message #08940
[Bug 2127491] [NEW] AppArmor policy prevents reading from $HOME/.netrc
Public bug reported:
Version of Ubuntu: 25.04
Version of tnftp: 20230507-2build3
What is expected to happen:
FTP credentials are put in the file $HOME/.netrc with permissions 600, and are read by tnftp to log in to the remote server.
What happens:
On starting tnftp it attempts to open the file $HOME/.netrc which fails with the following error message:
ftp: Can't read `.netrc': Permission denied
Origin of the bug:
I tracked it down to the default AppArmor policy in /etc/apparmor.d/abstractions/private-files and specifically the block:
# don't allow reading/updating of run control files
deny @{HOME}/.*rc mrk,
Proposed bug fix:
Add the following line to the tnftp AppArmor policy:
priority=100 allow owner @{HOME}/.netrc r,
The priority=100 is necessary because `deny` executes after `allow`.
** Affects: tnftp (Ubuntu)
Importance: Undecided
Status: New
** Tags: apparmor netrc permissions tnftp
--
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to tnftp in Ubuntu.
https://bugs.launchpad.net/bugs/2127491
Title:
AppArmor policy prevents reading from $HOME/.netrc
Status in tnftp package in Ubuntu:
New
Bug description:
Version of Ubuntu: 25.04
Version of tnftp: 20230507-2build3
What is expected to happen:
FTP credentials are put in the file $HOME/.netrc with permissions 600, and are read by tnftp to log in to the remote server.
What happens:
On starting tnftp it attempts to open the file $HOME/.netrc which fails with the following error message:
ftp: Can't read `.netrc': Permission denied
Origin of the bug:
I tracked it down to the default AppArmor policy in /etc/apparmor.d/abstractions/private-files and specifically the block:
# don't allow reading/updating of run control files
deny @{HOME}/.*rc mrk,
Proposed bug fix:
Add the following line to the tnftp AppArmor policy:
priority=100 allow owner @{HOME}/.netrc r,
The priority=100 is necessary because `deny` executes after `allow`.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tnftp/+bug/2127491/+subscriptions
Follow ups
-
[Bug 2127491] Re: AppArmor policy prevents tnftp reading from $HOME/.netrc
From: Ryan Lee, 2025-10-24
-
[Bug 2127491] Re: AppArmor policy prevents tnftp reading from $HOME/.netrc
From: Ryan Lee, 2025-10-24
-
[Bug 2127491] Re: AppArmor policy prevents reading from $HOME/.netrc
From: Launchpad Bug Tracker, 2025-10-24
-
[Bug 2127491] Re: AppArmor policy prevents reading from $HOME/.netrc
From: Christian Boltz, 2025-10-17
-
[Bug 2127491] Re: AppArmor policy prevents reading from $HOME/.netrc
From: Nicolas Douma, 2025-10-16
-
[Bug 2127491] Re: AppArmor policy prevents reading from $HOME/.netrc
From: Ryan Lee, 2025-10-15
-
[Bug 2127491] Re: AppArmor policy prevents reading from $HOME/.netrc
From: Sebastien Bacher, 2025-10-15
-
[Bug 2127491] Re: AppArmor policy prevents reading from $HOME/.netrc
From: Andreas Hasenack, 2025-10-14
-
[Bug 2127491] Re: AppArmor policy prevents reading from $HOME/.netrc
From: Ryan Lee, 2025-10-14
-
[Bug 2127491] Re: AppArmor policy prevents reading from $HOME/.netrc
From: Graham Inggs, 2025-10-14
-
[Bug 2127491] Re: AppArmor policy prevents reading from $HOME/.netrc
From: Nicolas Douma, 2025-10-12
