** Merge proposal linked: https://code.launchpad.net/~rlee287/ubuntu/+source/apparmor/+git/apparmor/+merge/495005
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/2127491 Title: AppArmor policy prevents reading from $HOME/.netrc Status in AppArmor Profiles: New Status in apparmor package in Ubuntu: New Status in tnftp package in Ubuntu: New Status in apparmor source package in Plucky: New Status in tnftp source package in Plucky: New Status in apparmor source package in Questing: New Status in tnftp source package in Questing: New Status in apparmor source package in Resolute: New Status in tnftp source package in Resolute: New Bug description: [ Impact ] tnftp is unable to access the ~/.netrc configuration file, which it uses in order to load login information and automatically login to FTP servers as stored in the config. Without this config, automatic login functionality is broken. [ Test Plan ] On a (Plucky|Questing|Resolute) machine, - Install tnftp, if it isn't installed already - Create a ~/.netrc file and populate it with the line "default login anonymous password user@site". - Attempt to download a file using FTP, e.g. `tnftp ftp://mirror.us.leaseweb.net/ubuntu-releases/robots.txt` - Without the patch: tnftp is unable to read ~/.netrc and generates a permission denial error - With the patch: tnftp is able to read and use ~/.netrc [ Where problems could occur ] The additions to the tnftp profile are loosening confinement. However, if a user manually modified the installed profiles, then the package upgrade would cause conflicts, and rejection of the incoming changes (either by hand during an interactive upgrade or automatically during an batch unattended upgrade) would result in end users not getting the packaged fix. [ Other Info ] -------Original report: Version of Ubuntu: 25.04 Version of tnftp: 20230507-2build3 What is expected to happen: FTP credentials are put in the file $HOME/.netrc with permissions 600, and are read by tnftp to log in to the remote server. What happens: On starting tnftp it attempts to open the file $HOME/.netrc which fails with the following error message: ftp: Can't read `.netrc': Permission denied Origin of the bug: I tracked it down to the default AppArmor policy in /etc/apparmor.d/abstractions/private-files and specifically the block: # don't allow reading/updating of run control files deny @{HOME}/.*rc mrk, Proposed bug fix: Add the following line to the tnftp AppArmor policy: priority=100 allow owner @{HOME}/.netrc r, The priority=100 is necessary because `deny` executes after `allow`. To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor-profiles/+bug/2127491/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
