"Remote Login" account not confined by guest AppArmor profile
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lightdm (Ubuntu) |
Invalid
|
High
|
Ted Gould | ||
lightdm-remote-session-freerdp (Ubuntu) |
Fix Released
|
High
|
Ted Gould | ||
lightdm-remote-session-uccsconfigure (Ubuntu) |
Fix Released
|
High
|
Ted Gould |
Bug Description
The "Guest" session in lightdm is launched confined by a very restrictive AppArmor profile for security reasons.
The new "Remote Login" session that has been added to Quantal is supposed to be using the same type of guest account restrictions, but isn't restricted by the guest AppArmor profile. This has a security impact on the default desktop.
ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: lightdm 1.3.3-0ubuntu4
ProcVersionSign
Uname: Linux 3.5.0-14-generic x86_64
NonfreeKernelMo
ApportVersion: 2.5.1-0ubuntu7
Architecture: amd64
Date: Wed Sep 12 10:09:10 2012
InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Alpha amd64 (20120724.2)
ProcEnviron:
LANGUAGE=en_CA:en
TERM=xterm
PATH=(custom, no user)
LANG=en_CA.UTF-8
SHELL=/bin/bash
SourcePackage: lightdm
UpgradeStatus: No upgrade log present (probably fresh install)
Related branches
- Albert Astals Cid (community): Approve
- jenkins (community): Approve (continuous-integration)
-
Diff: 192 lines (+138/-4)5 files modifiedMakefile.am (+28/-1)
configure.ac (+5/-1)
lightdm-remote-session-uccsconfigure.in (+71/-0)
uccsconfigure-session-wrapper.c (+32/-0)
uccsconfigure.desktop.in (+2/-2)
- jenkins (community): Approve (continuous-integration)
- FreeRDP Remote Team: Pending requested
-
Diff: 184 lines (+126/-6)4 files modifiedMakefile.am (+21/-4)
freerdp-session-wrapper.c (+32/-0)
freerdp.desktop.in (+2/-2)
lightdm-remote-session-freerdp.in (+71/-0)
- Michael Terry: Pending requested
-
Diff: 4009 lines (+3397/-75)19 files modifiedAUTHORS (+2/-1)
ChangeLog (+100/-0)
Makefile.am (+44/-3)
Makefile.in (+310/-44)
aclocal.m4 (+389/-0)
compile (+343/-0)
configure (+1328/-16)
configure.ac (+5/-1)
debian/changelog (+28/-0)
debian/control (+4/-1)
debian/rules (+5/-1)
debian/source/format (+0/-1)
depcomp (+708/-0)
firefox-uccsconfigure.desktop.in (+2/-1)
firefox-uccsconfigure.sh (+4/-0)
lightdm-remote-session-uccsconfigure.in (+71/-0)
uccsconfigure-session-wrapper.c (+32/-0)
uccsconfigure-session.in (+20/-4)
uccsconfigure.desktop.in (+2/-2)
- Michael Terry: Pending requested
-
Diff: 733 lines (+355/-47)14 files modifiedAUTHORS (+1/-0)
ChangeLog (+64/-0)
Makefile.am (+26/-4)
Makefile.in (+116/-24)
configure (+10/-10)
configure.ac (+1/-1)
debian/changelog (+11/-0)
debian/control (+4/-1)
debian/rules (+5/-1)
freerdp-session-wrapper.c (+32/-0)
freerdp-session.in (+1/-1)
freerdp.desktop.in (+2/-2)
lightdm-remote-session-freerdp.in (+71/-0)
socket-sucker.c (+11/-3)
Changed in lightdm (Ubuntu): | |
assignee: | nobody → Ted Gould (ted) |
importance: | Undecided → High |
Changed in lightdm (Ubuntu): | |
status: | New → Confirmed |
Changed in lightdm-remote-session-freerdp (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → High |
assignee: | nobody → Ted Gould (ted) |
Changed in lightdm-remote-session-uccsconfigure (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → High |
assignee: | nobody → Ted Gould (ted) |
Changed in lightdm (Ubuntu): | |
status: | Confirmed → Invalid |
Changed in lightdm-remote-session-freerdp (Ubuntu): | |
status: | Confirmed → Fix Committed |
Changed in lightdm-remote-session-uccsconfigure (Ubuntu): | |
status: | Confirmed → Fix Committed |
How to reproduce:
- Guest account:
- open session
- open terminal
- "cd /home;ls" should give "Permission denied" and dmesg should show AppArmor denial
- Remote Login:
- Click on Remote Login help icon in greeter
- Click on "Set up" button
- open terminal
- "cd /home;ls" should fail, but currently does not.