debcrafters-packages team mailing list archive

Thread
Date

[Bug 2127491] Re: AppArmor policy prevents tnftp reading from $HOME/.netrc

To: debcrafters-packages@xxxxxxxxxxxxxxxxxxx
From: Ryan Lee <2127491@xxxxxxxxxxxxxxxxxx>
Date: Fri, 24 Oct 2025 19:48:31 -0000
Reply-to: Bug 2127491 <2127491@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

** Summary changed:

- AppArmor policy prevents reading from $HOME/.netrc
+ AppArmor policy prevents tnftp reading from $HOME/.netrc

-- 
You received this bug notification because you are a member of
Debcrafters packages, which is subscribed to tnftp in Ubuntu.
https://bugs.launchpad.net/bugs/2127491

Title:
  AppArmor policy prevents tnftp reading from $HOME/.netrc

Status in AppArmor Profiles:
  New
Status in apparmor package in Ubuntu:
  New
Status in tnftp package in Ubuntu:
  New
Status in apparmor source package in Plucky:
  New
Status in tnftp source package in Plucky:
  New
Status in apparmor source package in Questing:
  New
Status in tnftp source package in Questing:
  New
Status in apparmor source package in Resolute:
  New
Status in tnftp source package in Resolute:
  New

Bug description:
  [ Impact ]

  tnftp is unable to access the ~/.netrc configuration file, which it
  uses in order to load login information and automatically login to FTP
  servers as stored in the config. Without this config, automatic login
  functionality is broken.

  [ Test Plan ]

  On a (Plucky|Questing|Resolute) machine,
  - Install tnftp, if it isn't installed already
  - Create a ~/.netrc file and populate it with the line "default login anonymous password user@site".
  - Attempt to download a file using FTP, e.g. `tnftp ftp://mirror.us.leaseweb.net/ubuntu-releases/robots.txt`
  - Without the patch: tnftp is unable to read ~/.netrc and generates a permission denial error
  - With the patch: tnftp is able to read and use ~/.netrc

  [ Where problems could occur ]

  The additions to the tnftp profile are loosening confinement. However,
  if a user manually modified the installed profiles, then the package
  upgrade would cause conflicts, and rejection of the incoming changes
  (either by hand during an interactive upgrade or automatically during
  an batch unattended upgrade) would result in end users not getting the
  packaged fix.

  [ Other Info ]

  -------Original report:

  Version of Ubuntu: 25.04
  Version of tnftp: 20230507-2build3

  What is expected to happen:
  FTP credentials are put in the file $HOME/.netrc with permissions 600, and are read by tnftp to log in to the remote server.

  What happens:
  On starting tnftp it attempts to open the file $HOME/.netrc which fails with the following error message:
  ftp: Can't read `.netrc': Permission denied

  Origin of the bug:
  I tracked it down to the default AppArmor policy in /etc/apparmor.d/abstractions/private-files and specifically the block:
    # don't allow reading/updating of run control files
    deny @{HOME}/.*rc mrk,

  Proposed bug fix:
  Add the following line to the tnftp AppArmor policy:
    priority=100 allow owner @{HOME}/.netrc r,

  The priority=100 is necessary because `deny` executes after `allow`.

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor-profiles/+bug/2127491/+subscriptions

References

[Bug 2127491] [NEW] AppArmor policy prevents reading from $HOME/.netrc
From: Nicolas Douma, 2025-10-10