[R] R library highcharter function highchart() execute with exception the apparmor read denied for /etc/passwd and /etc/group

Ivan Krylov kry|ov@r00t @end|ng |rom gm@||@com
Tue Aug 8 21:15:06 CEST 2023


On Tue, 8 Aug 2023 10:39:15 +0000
"Gu, Jay via R-help" <r-help using r-project.org> wrote:

>  Then I execute the function highchart() it always throw the
> exception that child process has died. And I checked the
> /var/log/kern.log and found below error:
> 
> Aug 7 08:37:50 ip-172-31-27-249 kernel: [2251703.494866] audit:
> type=1400 audit(1691397470.399:739): apparmor="DENIED"
> operation="open" profile="managedr-profile" name="/etc/passwd"
> pid=159930 comm="R" requested_mask="r" denied_mask="r" fsuid=1000
> ouid=0

It's not that terrible to let a program access /etc/passwd. It does
contain the list of the users, which is a privacy risk, true, but at
least the passwords are safely hashed and hidden away in /etc/shadow.

Searching the CRAN mirror on GitHub for "/etc/passwd" gives quite a few
hits, and so does "getpwuid". There are likely other POSIX functions
that read /etc/passwd too. Any of highcharter's 68 dependencies could
be trying to read /etc/passwd directly or indirectly. (Could be fs,
could be some other package.)

If you run R -d gdb and let it crash, what does the backtrace say?

I think it's likely that the /etc/passwd access won't be easy to get
rid of, so if you don't want to give R access to it, you might want to
run it inside a container or a virtual machine.

-- 
Best regards,
Ivan



More information about the R-help mailing list