=== chris14_ is now known as chris14
ahasenackhi security, do you have an opinion on allowing rsyslog write access to /dev/console? See https://bugs.launchpad.net/ubuntu/+source/rsyslog/+bug/200923017:39
-ubottu:#ubuntu-security- Launchpad bug 2009230 in rsyslog (Ubuntu Lunar) "AppArmor denials for rsyslog" [Undecided, New]17:39
ahasenackand on the topic of consoles, what about including the consoles abstraction? It also allows ttys and pts17:39
ahasenackthere is even an example in the shipped rsyslog config file from ubuntu showing how to log certain messages to a tty, so you would just have to ctrl-shift-8 and see certain logs in tty8, for example. This is currently blocked by the rsyslog apparmor profile17:40
ahasenackin the case of that very particular bug, the google-compute-engine could ship an apparmor snippet in /etc/apparmor.d/rsyslog.d to allow /dev/console, and it would work. But if it's something others might do too, and there are no security downsides, maybe we should have that rule (and tty?) in the default rsyslog package17:42
jjohansenahasenack: so generally speaking consoles are a mess and it is definitely safer to block. With that said, if you are going to allow them, I would do it via the console abstraction, we have plans on improving the console mediation and if you use the abstraction you will pick up those improvements automatically.19:11
jjohansenAlso general philosophy here is, if there feature is needed allow it, because otherwise people will disable the profile/apparmor and that is far worse than a looser mediation19:11
ahasenackthe only worry I had with the console abstraction was the /dev/pts access, there is a comment above it saying this also allows "access" to xterms and the like19:12
ahasenackunsure what you would get with that: read every keystroke?19:12
ahasenackthat being said, rsyslog doesn't run as root, so more would be needed for it to be able to access ttys and ptss19:13
ahasenackand the console abstraction currently only allows (of the ttys) /dev/tty, not /dev/tty[0-9]19:14
ahasenackis that on purpose, or an oversight?19:14
jjohansenon purpose19:14
ahasenackwhat does /dev/tty mean again? Please refresh my memory :)19:15
ahasenackthe "current" console?19:15
jjohansenits essentially a hardlink for the active processes console, so it is more restricted than say /dev/tty[0-9]19:17
georgiagin the specific case of bug 2009230, the ideal scenario would be to change the rsyslog config file of google-compute-engine to log into a file instead of using /dev/console, but I don't know if that's feasible for them19:17
-ubottu:#ubuntu-security- Bug 2009230 in rsyslog (Ubuntu Lunar) "AppArmor denials for rsyslog" [Undecided, New] https://launchpad.net/bugs/200923019:17
ahasenackgeorgiag: I think the console in a cloud image might be more "important"19:18
ahasenackas you wouldn't ahve access to such a file if the image doesn't get to a point where you can ssh in19:18
ahasenackbut the cloud api usually has a way to get the console19:18
jjohansentty is associated with the process group, tty0 to the virtual terminal19:18
georgiagah, that's right19:19
jjohansenyeah, adding console access is the way to go19:19
ahasenackyou still think the abstraction is best?19:19
ahasenackyour improvements won't land in lunar in time for the release, right?19:19
jjohansentrue, so maybe just stick to /dev/console19:20
jjohansenthe use console abstraction is kind of an upstream thing, where we are trying to get policy to be ready for new features19:21
ahasenackgeorgiag: was that all that was needed? I see /dev/console is root:tty and only writable by root or tty19:21
ahasenackI've seen other bugs fly past about syslog not being part of the tty group. Maybe the google package is also changing that?19:21
ahasenackor perhaps /dev/console there has different permissions19:22
georgiagI'll have to double check, sorry19:27
jjohansenhrmmm, I don't know either, will be interested to find out19:27
ahasenackanyway, apparmor is definitely in the way19:27
ahasenackbut they might find out that after apparmor allows the access, then filesystem permissions are in the way :)19:28
ahasenackgeorgiag: would you like to propose an MP for rsyslog? I can sponsor19:28
ahasenack(thinking about you getting upload karma). If not, I can do it19:28
georgiagahasenack: yeah, I'll ping you when I have it ready. thanks19:36
ahasenackgeorgiag: remember this Monday is beta freeze19:37
ahasenack(I'll be around during the weekend, though)19:38
georgiagokay. thanks for the reminder!19:38
UnivrslSuprBoxI noticed that USN-5966-1 was released to xenial/trusty-security/updates, but its revert was only released into ESM. I'm not sure if the team is planning to send the revert to the public archives or kick the package version out of xenial, but this could cause a bad time for the unsupported releases20:50
sarnoldUnivrslSuprBox: ack, thanks20:51

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!