我有一个在虚拟环境中运行的Python应用程序,我正在尝试为它构建一个apparmor配置文件。它有一个包装器,如下所示:
#!/bin/bash
## This script is for running the 'fact' command on staging/prod, it sudos to
## the 'fact' user before executing /opt/fact-virtual-environment/bin/fact
## It is installed as '/usr/bin/fact'
WHOAMI=$(whoami)
PYTHONPATH=/usr/share/fact
PYTHON_BIN=/opt/fact-virtual-environment/bin/python
DJANGO_SETTINGS_MODULE=fact.settings.staging
if [ "${WHOAMI}" != "fact" ];
then
sudo -u fact $0 $*;
else
PYTHONPATH=${PYTHONPATH} DJANGO_SETTINGS_MODULE=${DJANGO_SETTINGS_MODULE} ${PYTHON_BIN} -m fact.managecommand $*;
fi
因此,我们始终确保在开始之前对正确的用户进行sudo。但是,即使 sudo 和 whoami 我在 ux 上运行(如下所示,是的,我知道 ux 是坏的/不安全的),whoami 仍然无法获得正确的用户 ID。
# Last Modified: Tue Jan 20 09:25:09 2015
#include <tunables/global>
/usr/bin/fact {
#include <abstractions/apache2-common>
#include <abstractions/base>
#include <abstractions/bash>
capability setgid,
capability sys_resource,
deny /etc/group r,
deny /etc/passwd r,
deny /usr/local/lib/python2.7/dist-packages/ r,
deny /usr/local/lib/python2.7/site-packages/ r,
/usr/bin/sudo ux,
/usr/bin/whoami ux,
/bin/bash rix,
/bin/dash rix,
/bin/uname rix,
/dev/tty rw,
/etc/default/locale r,
/etc/group r,
/etc/passwd r,
/etc/environment r,
/etc/login.defs r,
/etc/lsb-release r,
/etc/fact/fact.ini r,
/etc/python2.7/sitecustomize.py r,
#/etc/security/pam_env.conf r,
/lib{,32,64}/** mr,
/opt/fact-virtual-environment/** mr,
/opt/fact-virtual-environment/bin/python rix,
#/proc/*/fd/ r,
#/proc/*/mounts r,
#/proc/filesystems r,
#/proc/loadavg r,
#/proc/meminfo r,
#/proc/sys/kernel/ngroups_max r,
#/run/utmp rk,
/sbin/ldconfig rix,
/sbin/ldconfig.real rix,
/usr/bin/fact rix,
/usr/lib{,32,64}/** mr,
/usr/share/fact/ r,
/usr/share/fact/fact/** r,
/usr/share/pyshared/** r,
}
和错误:
fact
whoami: cannot find name for user ID 1010
whoami: cannot find name for user ID 111
fact is not in the sudoers file. This incident will be reported.
因为它无法确定我正在运行的用户,所以无论如何它都会对事实进行 sudo,然后抱怨,因为事实无法 sudo。需要什么装甲设置才能正确运行?
我用$USER切换了whoami命令。这似乎是唯一可行的解决方案。