#988068 redshift: apparmor profile refers to wrong conf file

Package:
redshift
Source:
redshift
Description:
Adjusts the color temperature of your screen
Submitter:
Çağlar Girit
Date:
2024-12-02 10:21:01 UTC
Severity:
important
#988068#5
Date:
2021-05-04 18:19:55 UTC
From:
To:
Dear Maintainer,

   * What led up to the situation?
The configuration file may be in .config/redshift/ instead of
.config/ and the apparmor profile usr.bin.redshift only allows reading
.config/redshift.conf
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
     Add the following line to /etc/apparmor:
     owner @{HOME}/.config/redshift/redshift.conf r,
   * What was the outcome of this action?
   it works

#988068#10
Date:
2021-06-27 09:37:46 UTC
From:
To:
It seems to me, like something along this fix, would be enough:
https://salsa.debian.org/debian/redshift/-/merge_requests/4/diffs

+owner @{HOME}/.config/redshift/redshift.conf r,

Just discovered this while migrating to bullseye, this does essentially break redshift on bullseye, if you use a config-file at the default location.

#988068#15
Date:
2022-04-25 13:12:17 UTC
From:
To:
Instead of wasting time configuring and running a location service, I
just had a number of slightly different configuration files for redshift
(with different manual locations specified) and would just let
`.config/redshift.conf` be a symlink to the one corresponding to my
current location. (And do some extra work in new locations)

That didn't work with the discussed restriction (but I could easily put
all the different configs in `.config/redshift/`.

For now my workaround was simply to replace the symlink with a copy.

#988068#20
Date:
2022-04-26 07:58:11 UTC
From:
To:
I just read (and understood) Mikkel's suggestion. That won't help in my
case, I basically need read permissions to *all* files in
`.config/redshift`.

Unfortunately I don't know apparmor well enough to suggest an addition
to the policy that will accomplish that.

#988068#25
Date:
2023-03-04 18:02:59 UTC
From:
To:
On Tue, 26 Apr 2022 09:58:11 +0200 Henrik Christian Grove  <debian@3001.dk> wrote:
 > I just read (and understood) Mikkel's suggestion. That won't help in my
 > case, I basically need read permissions to *all* files in
 > `.config/redshift`.
 >
 > Unfortunately I don't know apparmor well enough to suggest an addition
 > to the policy that will accomplish that.
 >
 >

This could help until it gets fixed upstream:

Edit the file /etc/apparmor.d/usr.bin.redshift and change the line

     owner @{HOME}/.config/redshift.conf r,

To

     owner @{HOME}/.config/redshift/* r,


Then restart apparmor: sudo systemctl restart apparmor

#988068#30
Date:
2023-04-08 06:57:36 UTC
From:
To:
I'm having a similar problem, because my redshift config file is in version
control, and ~/.config/redshift.conf is a symlink to the version controlled
file. I changed it to a hardlink, which allows redshift to read the config
file, but this is not a robust solution.

I don't know anything about apparmor, but is there some hope that the
config could be changed to follow symlinks? Or perhaps that "defeats the
purpose" of apparmor?

#988068#35
Date:
2024-12-02 10:17:11 UTC
From:
To:
On Sat, 4 Mar 2023 15:02:59 -0300 Gonzalo Arreche <gonzaloarreche@gmail.com> wrote:


I added the entry instead of changing the original (which could work for some
users) and can confirm that it fixed the issue for me with missing read
permissions.