Debian Question posted in
The oficial documentation can be found here.

Debian – Why do ttk widgets cause Tcl/Tk programs to read /etc/passwd and /etc/nsswitch.conf?

Below is a simple Tcl/Tk GUI program that opens a window and displays the word "Hello" in the window. The filename of the script is "hello.tk".

#!/bin/sh
# The next line is executed by /bin/sh, but not by Tcl 
exec wish "$0" ${1+"$@"}

pack [ttk::label .l -text "Hello"]

I confined the program by using the following Linux AppArmor configuration before running the program.

abi <abi/3.0>,

include <tunables/global>

profile hello.tk @{HOME}/hello.tk {
  include <abstractions/base>
  include <abstractions/fonts>

  /{usr/,}bin/{da,}sh ix,
  /{usr/,}bin/wish[0-9]*.[0-9]* ix,

  @{HOME}/hello.tk r,
  /usr/share/tcltk/** r,
  owner /run/user/@{uid}/gdm/Xauthority r,
}

However, upon running the program, the following log entries appear in sudo journalctl --since='today' --grep 'hello.tk' -f:

Jan 08 12:34:56 myhost audit[9500]: AVC apparmor="DENIED" operation="open" profile="hello.tk" name="/etc/nsswitch.conf" pid=9500 comm="wish" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jan 08 12:34:56 myhost audit[9500]: AVC apparmor="DENIED" operation="open" profile="hello.tk" name="/etc/passwd" pid=9500 comm="wish" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jan 08 12:34:56 myhost audit[9500]: AVC apparmor="DENIED" operation="open" profile="hello.tk" name="/etc/nsswitch.conf" pid=9500 comm="wish" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Jan 08 12:34:56 myhost audit[9500]: AVC apparmor="DENIED" operation="open" profile="hello.tk" name="/etc/passwd" pid=9500 comm="wish" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

According to the log entries above, the Tk program in question tries to read the files /etc/passwd and /etc/nsswitch.conf at the beginning of its execution. If I change ttk::label to label instead, the program does not try to read those files. This shows that ttk (themed Tk widgets) is responsible for trying to read those files.

Why would such a simple Tcl/Tk program need to have read access to /etc/passwd and /etc/nsswitch.conf?

OS: Debian 12; Tcl/Tk version: 8.6.13.

Tags:

2

Answers


  1. 0

    For those files, I’d guess that you’re looking at a call to getpwent() somewhere, which is part of the POSIX API and likely implemented by the GNU C Library on Linux. (The file /etc/nsswitch.conf contains meta-information to say where to look for such things, and /etc/passwd is the traditional fallback location for the info.) The info in there is (mostly) benign, especially on modern systems that store passwords elsewhere.

    It’s overwhelmingly likely that what was being looked up was the user’s (i.e., your) home directory, independent of what environment variables you have set. I can’t tell which library is doing this; the Tcl implementation certainly has the capability (so it can understand how to open ~/myfile.txt though I think it defaults to respecting $env(HOME)), Tk would likely delegate to Tcl (probably isn’t as you haven’t specified such files in your script), but other dependencies might do their own thing. Both the X11 client library and the font configuration library are quite likely suspects. Maybe that’s why things show up twice?

    Accessing those files isn’t suspicious. Add read access to them to the profile.

    Login or Signup to reply.
  2. 0

    On my machine Tcl always opens /etc/nsswitch.conf and /etc/passwd. There is no need to create any widget, themed or not, or indeed to execute any Tcl command, for this to happen.

    Tcl calls getpwuid_r in the process of its initialisation. The culprit is TclpSetVariables. It just needs your username to set $tcl_platform(user).

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search