← Back to team overview

debcrafters-packages team mailing list archive

  1. debcrafters-packages team
  2. Mailing list archive
  3. Message #09197

[Bug 2127491] Re: AppArmor policy prevents reading from $HOME/.netrc

  Thread PreviousDate PreviousThread Next 
Upstream apparmor fix at
https://gitlab.com/apparmor/apparmor/-/merge_requests/1819. I intend to
SRU this fix in as a bundle along with other AppArmor fixes.

** Description changed:

+ [ Impact ]
+ 
+ tnftp is unable to access the ~/.netrc configuration file, which it uses
+ in order to load login information and automatically login to FTP
+ servers as stored in the config. Without this config, automatic login
+ functionality is broken.
+ 
+ [ Test Plan ]
+ 
+ On a (Plucky|Questing|Resolute) machine,
+ - Install tnftp, if it isn't installed already
+ - Create a ~/.netrc file and populate it with the line "default login anonymous password user@site".
+ - Attempt to download a file using FTP, e.g. `tnftp ftp://mirror.us.leaseweb.net/ubuntu-releases/robots.txt`
+ - Without the patch: tnftp is unable to read ~/.netrc and generates a permission denial error
+ - With the patch: tnftp is able to read and use ~/.netrc
+ 
+ [ Where problems could occur ]
+ 
+ The additions to the tnftp profile are loosening confinement. However,
+ if a user manually modified the installed profiles, then the package
+ upgrade would cause conflicts, and rejection of the incoming changes
+ (either by hand during an interactive upgrade or automatically during an
+ batch unattended upgrade) would result in end users not getting the
+ packaged fix.
+ 
+ [ Other Info ]
+ 
+ -------Original report:
+ 
  Version of Ubuntu: 25.04
  Version of tnftp: 20230507-2build3
  
  What is expected to happen:
  FTP credentials are put in the file $HOME/.netrc with permissions 600, and are read by tnftp to log in to the remote server.
  
  What happens:
  On starting tnftp it attempts to open the file $HOME/.netrc which fails with the following error message:
  ftp: Can't read `.netrc': Permission denied
  
  Origin of the bug:
  I tracked it down to the default AppArmor policy in /etc/apparmor.d/abstractions/private-files and specifically the block:
-   # don't allow reading/updating of run control files
-   deny @{HOME}/.*rc mrk,
+   # don't allow reading/updating of run control files
+   deny @{HOME}/.*rc mrk,
  
  Proposed bug fix:
  Add the following line to the tnftp AppArmor policy:
-   priority=100 allow owner @{HOME}/.netrc r,
+   priority=100 allow owner @{HOME}/.netrc r,
  
  The priority=100 is necessary because `deny` executes after `allow`.

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to tnftp in Ubuntu.
https://bugs.launchpad.net/bugs/2127491

Title:
  AppArmor policy prevents reading from $HOME/.netrc

Status in AppArmor Profiles:
  New
Status in apparmor package in Ubuntu:
  New
Status in tnftp package in Ubuntu:
  New
Status in apparmor source package in Plucky:
  New
Status in tnftp source package in Plucky:
  New
Status in apparmor source package in Questing:
  New
Status in tnftp source package in Questing:
  New
Status in apparmor source package in Resolute:
  New
Status in tnftp source package in Resolute:
  New

Bug description:
  [ Impact ]

  tnftp is unable to access the ~/.netrc configuration file, which it
  uses in order to load login information and automatically login to FTP
  servers as stored in the config. Without this config, automatic login
  functionality is broken.

  [ Test Plan ]

  On a (Plucky|Questing|Resolute) machine,
  - Install tnftp, if it isn't installed already
  - Create a ~/.netrc file and populate it with the line "default login anonymous password user@site".
  - Attempt to download a file using FTP, e.g. `tnftp ftp://mirror.us.leaseweb.net/ubuntu-releases/robots.txt`
  - Without the patch: tnftp is unable to read ~/.netrc and generates a permission denial error
  - With the patch: tnftp is able to read and use ~/.netrc

  [ Where problems could occur ]

  The additions to the tnftp profile are loosening confinement. However,
  if a user manually modified the installed profiles, then the package
  upgrade would cause conflicts, and rejection of the incoming changes
  (either by hand during an interactive upgrade or automatically during
  an batch unattended upgrade) would result in end users not getting the
  packaged fix.

  [ Other Info ]

  -------Original report:

  Version of Ubuntu: 25.04
  Version of tnftp: 20230507-2build3

  What is expected to happen:
  FTP credentials are put in the file $HOME/.netrc with permissions 600, and are read by tnftp to log in to the remote server.

  What happens:
  On starting tnftp it attempts to open the file $HOME/.netrc which fails with the following error message:
  ftp: Can't read `.netrc': Permission denied

  Origin of the bug:
  I tracked it down to the default AppArmor policy in /etc/apparmor.d/abstractions/private-files and specifically the block:
    # don't allow reading/updating of run control files
    deny @{HOME}/.*rc mrk,

  Proposed bug fix:
  Add the following line to the tnftp AppArmor policy:
    priority=100 allow owner @{HOME}/.netrc r,

  The priority=100 is necessary because `deny` executes after `allow`.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor-profiles/+bug/2127491/+subscriptions

References

  Thread PreviousDate PreviousThread Next