Gu, Jay
2023-Aug-08 10:39 UTC
[R] R library highcharter function highchart() execute with exception the apparmor read denied for /etc/passwd and /etc/group
Dears, I use the R library highcharter with ubuntu 18.04 and R 3.6.3. Recently, I upgraded to ubuntu 20.04 and R 4.3.1. And the version of library highcharter are both 0.9.4. Then I execute the function highchart() it always throw the exception that child process has died. And I checked the /var/log/kern.log and found below error: Aug 7 08:37:50 ip-172-31-27-249 kernel: [2251703.494866] audit: type=1400 audit(1691397470.399:739): apparmor="DENIED" operation="open" profile="managedr-profile" name="/etc/passwd" pid=159930 comm="R" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 Aug 7 08:37:50 ip-172-31-27-249 kernel: [2251703.494871] audit: type=1400 audit(1691397470.399:740): apparmor="DENIED" operation="open" profile="managedr-profile" name="/etc/group" pid=159930 comm="R" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 If I add below two lines in my apparmor profile it will resolve this issue. But I don't like to expose these two files to end user as it has potential risk. /etc/passwd r, /etc/group r, I'd like to know if there is any solution to fix it without giving the read access for these two files /etc/passwd and /etc/group in the apparmor profile as I did with ubuntu 18.04 and R 3.6.3. Thanks! Best Regards! Jay Gu [[alternative HTML version deleted]]
Bert Gunter
2023-Aug-08 14:57 UTC
[R] R library highcharter function highchart() execute with exception the apparmor read denied for /etc/passwd and /etc/group
If you don't get a satisfactory answer here in due course, you can try contacting the package maintainer, who you can find via ?maintainer. Cheers, Bert On Tue, Aug 8, 2023 at 7:50?AM Gu, Jay via R-help <r-help at r-project.org> wrote:> > Dears, > > > I use the R library highcharter with ubuntu 18.04 and R 3.6.3. Recently, I upgraded to ubuntu 20.04 and R 4.3.1. And the version of library highcharter are both 0.9.4. Then I execute the function highchart() it always throw the exception that child process has died. And I checked the /var/log/kern.log and found below error: > > Aug 7 08:37:50 ip-172-31-27-249 kernel: [2251703.494866] audit: type=1400 audit(1691397470.399:739): apparmor="DENIED" operation="open" profile="managedr-profile" name="/etc/passwd" pid=159930 comm="R" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > Aug 7 08:37:50 ip-172-31-27-249 kernel: [2251703.494871] audit: type=1400 audit(1691397470.399:740): apparmor="DENIED" operation="open" profile="managedr-profile" name="/etc/group" pid=159930 comm="R" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 > > If I add below two lines in my apparmor profile it will resolve this issue. But I don't like to expose these two files to end user as it has potential risk. > /etc/passwd r, > /etc/group r, > > I'd like to know if there is any solution to fix it without giving the read access for these two files /etc/passwd and /etc/group in the apparmor profile as I did with ubuntu 18.04 and R 3.6.3. Thanks! > Best Regards! > Jay Gu > > > [[alternative HTML version deleted]] > > ______________________________________________ > R-help at r-project.org mailing list -- To UNSUBSCRIBE and more, see > https://stat.ethz.ch/mailman/listinfo/r-help > PLEASE do read the posting guide http://www.R-project.org/posting-guide.html > and provide commented, minimal, self-contained, reproducible code.
Ivan Krylov
2023-Aug-08 19:15 UTC
[R] R library highcharter function highchart() execute with exception the apparmor read denied for /etc/passwd and /etc/group
On Tue, 8 Aug 2023 10:39:15 +0000 "Gu, Jay via R-help" <r-help at r-project.org> wrote:> Then I execute the function highchart() it always throw the > exception that child process has died. And I checked the > /var/log/kern.log and found below error: > > Aug 7 08:37:50 ip-172-31-27-249 kernel: [2251703.494866] audit: > type=1400 audit(1691397470.399:739): apparmor="DENIED" > operation="open" profile="managedr-profile" name="/etc/passwd" > pid=159930 comm="R" requested_mask="r" denied_mask="r" fsuid=1000 > ouid=0It's not that terrible to let a program access /etc/passwd. It does contain the list of the users, which is a privacy risk, true, but at least the passwords are safely hashed and hidden away in /etc/shadow. Searching the CRAN mirror on GitHub for "/etc/passwd" gives quite a few hits, and so does "getpwuid". There are likely other POSIX functions that read /etc/passwd too. Any of highcharter's 68 dependencies could be trying to read /etc/passwd directly or indirectly. (Could be fs, could be some other package.) If you run R -d gdb and let it crash, what does the backtrace say? I think it's likely that the /etc/passwd access won't be easy to get rid of, so if you don't want to give R access to it, you might want to run it inside a container or a virtual machine. -- Best regards, Ivan