On 12/21/2011 04:17 PM, Christian Boltz wrote:
Hello,the attached patch splits off various permissions from the httpd2- prefork profile to abstractions/apache2-common. Additionally, it adds read permissions for /**/.htaccess and /dev/urandom to apache2-common. The patch is based on a profile abstraction from darix. I made some things more strict (compared to darix' profile), and OTOH added some things that are needed on my servers. For reference: Darix sent me a file abstractons/apache-vhost-base (note the different name, I merged into apache2-common). Original abstractions/apache-vhost-base from darix: network, @{PROC}/**/attr/current rw, # htaccess files - for what ever it is worth /**.htaccess r, # error pages /usr/share/apache2/** r, BTW: Darix' profile has @{PROC}/**/attr/current rw, however my experience is I only need @{PROC}/*/attr/current w (no r). I never needed @{PROC}/*/task/*/attr/current. - Does apache really need write access to both variants? (I doubt.) - What's the difference between both variants? Note: My version of abstractions/apache2-common does not allow to read /.htaccess (I changed /**.htaccess -> /**/.htaccess) which slightly reduces permissions for ^HANDLING_UNTRUSTED_INPUT. However I doubt someone has a .htaccess in / ;-) The other changes I did do not remove permissions from the profile in bzr because those permissions didn't exist there - they exist only in the profile and abstractions from darix. I'm also nominating this patch for the 2.7 branch (maybe except disallowing /.htaccess for ^HANDLING_UNTRUSTED_INPUT if you are afraid it breaks some setups)
So as for nominations for the 2.7 branch, I am fine putting this in 2.7.1, I have already rolled 2.7 final and that is the tarballs in launchpad. I just haven't sent out the announcement email for 2.7 final yet. john -- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
