我有一个在虚拟环境中运行的Python应用程序,我正在尝试为它构建一个apparmor配置文件。它有一个如下所示的包装器:
#!/bin/bash
## This script is for running the 'fact' command on staging/prod, it sudos to
## the 'fact' user before executing /opt/fact-virtual-environment/bin/fact
## It is installed as '/usr/bin/fact'
WHOAMI=$(whoami)
PYTHONPATH=/usr/share/fact
PYTHON_BIN=/opt/fact-virtual-environment/bin/python
DJANGO_SETTINGS_MODULE=fact.settings.staging
if [ "${WHOAMI}" != "fact" ];
then
sudo -u fact $0 $*;
else
PYTHONPATH=${PYTHONPATH} DJANGO_SETTINGS_MODULE=${DJANGO_SETTINGS_MODULE} ${PYTHON_BIN} -m fact.managecommand $*;
fi
所以我们总是确保在开始之前我们sudo到正确的用户。然而,即使sudo和whoami我在ux运行(如下所示,是的,我知道ux是坏/不安全),whoami仍然无法获得正确的用户ID。
# Last Modified: Tue Jan 20 09:25:09 2015
#include <tunables/global>
/usr/bin/fact {
#include <abstractions/apache2-common>
#include <abstractions/base>
#include <abstractions/bash>
capability setgid,
capability sys_resource,
deny /etc/group r,
deny /etc/passwd r,
deny /usr/local/lib/python2.7/dist-packages/ r,
deny /usr/local/lib/python2.7/site-packages/ r,
/usr/bin/sudo ux,
/usr/bin/whoami ux,
/bin/bash rix,
/bin/dash rix,
/bin/uname rix,
/dev/tty rw,
/etc/default/locale r,
/etc/group r,
/etc/passwd r,
/etc/environment r,
/etc/login.defs r,
/etc/lsb-release r,
/etc/fact/fact.ini r,
/etc/python2.7/sitecustomize.py r,
#/etc/security/pam_env.conf r,
/lib{,32,64}/** mr,
/opt/fact-virtual-environment/** mr,
/opt/fact-virtual-environment/bin/python rix,
#/proc/*/fd/ r,
#/proc/*/mounts r,
#/proc/filesystems r,
#/proc/loadavg r,
#/proc/meminfo r,
#/proc/sys/kernel/ngroups_max r,
#/run/utmp rk,
/sbin/ldconfig rix,
/sbin/ldconfig.real rix,
/usr/bin/fact rix,
/usr/lib{,32,64}/** mr,
/usr/share/fact/ r,
/usr/share/fact/fact/** r,
/usr/share/pyshared/** r,
}
和错误:
fact
whoami: cannot find name for user ID 1010
whoami: cannot find name for user ID 111
fact is not in the sudoers file. This incident will be reported.
因为它不能确定我正在运行的用户,所以无论如何它都会发生事实然后抱怨,因为事实不能成为sudo。 whoami正确运行需要什么样的apparmor设置?
答案 0 :(得分:0)
我用$ USER切换了whoami命令。这似乎是唯一可行的解决方案。