Bug#918655: msmtp: Apparmor causing Permission denied when creating tmp files and logging

Mon, 07 Jan 2019 17:48:54 -0800 

Hello,

On 2019-01-07 6:56 p.m., Ondra Kudlík wrote:
> Package: msmtp
> Version: 1.8.1-1
> Severity: important
> 
> Hello,
> 
> after yesterdays update I'm unable to use msmtp because of new apparmor
> profile.
> 
> Error:
> 
> msmtp: cannot create temporary file: Permission denied
> 
> It looks like apparmor profile is expecting msmtp to create temporary files
> with name
> staring with "msmtp" which is not true (at least I can't see it in msmtp 
> source
> code).
> 
> Changing line to:
> 
>   owner /tmp/*   rw,
> 
> fixes problem for me.

In my tests with 1.6.6-1, it always created files like /tmp/msmtpMjeJLc
which is why I hardcoded that msmtp prefix. I'm afraid that I had
forgotten about #883354 so the actual profile evolved in parallel. I was
kind of caught by surprise by it's inclusion, my bad and sorry Emmanuel.

> Second issue is that I have log files in ~/.msmtp*.log which is maybe specific
> to my
> setup but it is widely used at least from various wikis and docs I saw.
> 
> I suggest to add line to fix this issue as well.
> 
>   owner @{HOME}/.msmtp*.log   rwk,

Sounds good to me.

> Btw. I think this is major change and should be announced through news
> mechanism,
> especially because many users have their own paths. I could save at least an
> hour
> when trying to find source of problem.

I agree, I should have thought of that. How about adding the text from
README.Debian as a NEWS entry?

I will do some testing with 1.8.1-1 but in the meantime, please find
attached a more up to date profile that received more testing and also
incorporates your feedback (thanks!).

Regards,
Simon

# Author: Simon Deziel <si...@sdeziel.info>

#include <tunables/global>

/usr/bin/msmtp flags=(attach_disconnected) {
  #include <abstractions/base>
  #include <abstractions/nameservice>
  #include <abstractions/p11-kit>
  #include <abstractions/ssl_certs>
  #include <abstractions/ssl_keys>

  /usr/bin/msmtp          mr,
  /etc/aliases            r,
  /etc/msmtprc            r,
  /etc/netrc              r,
  owner @{HOME}/.msmtp*   r,
  owner @{HOME}/.netrc    r,
  owner @{HOME}/.tls-crls r,

  owner @{HOME}/.msmtp*.log wk,
  /var/log/msmtp            wk,

  @{PROC}/@{pid}/loginuid r,
  /tmp/                   rw,
  owner /tmp/*            rw,

  # to type password interactively
  owner /dev/pts/[0-9]*   rw,

  # secret helpers
  /usr/bin/secret-tool    PUx,
  /usr/bin/gpg{,2}        PUx,

  #include <local/usr.bin.msmtp>
}

Reply via email to