Guest Account has read access to /home

Bug #844219 reported by Matthew Eaton
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
lightdm (Ubuntu)
Incomplete
Low
Unassigned

Bug Description

I am uncertain as to which package to file this bug against. Please be gentle. This is my first bug report. :)

1) matt@matt-ubuntu-beta:~$ lsb_release -rd
Description: Ubuntu oneiric (development branch)
Release: 11.10

2) Lightdm?

3) Expected behavior: In 11.04 the Guest Account does not have sufficient privileges to access /home. I expected this same behavior with the Guest Account in 11.10.

4) What happened instead: In 11.10 the Guest Account has read access to /home and the home directories within.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: lightdm 0.9.5-0ubuntu1
ProcVersionSignature: Ubuntu 3.0.0-10.16-generic 3.0.4
Uname: Linux 3.0.0-10-generic i686
Architecture: i386
Date: Wed Sep 7 12:29:50 2011
ExecutablePath: /usr/sbin/lightdm
InstallationMedia: Ubuntu 11.10 "Oneiric Ocelot" - Beta i386 (20110901)
ProcEnviron: PATH=(custom, no user)
SourcePackage: lightdm
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Matthew Eaton (meaton) wrote :
Changed in ubuntu:
status: New → Confirmed
affects: ubuntu → lightdm (Ubuntu)
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thank you for your bug report, is the read access to the home directory an issue?

the access to other user directories content got fixes with that change:

lightdm (1.0.0-0ubuntu4) oneiric; urgency=low

  * Add 01_guest_session_lockdown.patch: Lock down guest session with an
    AppArmor profile. This uses the very same approach as gdm-guest-session,
    and copies the profile from it. (LP: #849027)

Changed in lightdm (Ubuntu):
importance: Undecided → Low
status: Confirmed → Incomplete
Revision history for this message
Matthew Eaton (meaton) wrote :

I think it's a privacy issue but not necessarily a security issue. As it is now anyone would have the ability to sit down at your computer, log into a guest session from the log in screen, and then browse all of the users' personal files.

Revision history for this message
Sebastien Bacher (seb128) wrote :

Did you read my comment? With the current version the user could only list the content of the home directory, i.e get a list of users which have a directory there, not enter any of those directories

Revision history for this message
Matthew Eaton (meaton) wrote :

Sorry, I did misunderstand your comment. That said, I just installed the latest updates and I am still able to access the files in my user's home directory using the Guest account.

Revision history for this message
Sebastien Bacher (seb128) wrote :

did you restart your machine after the upgrade? you should not be able to do that and the restriction works for me

Revision history for this message
Sebastien Bacher (seb128) wrote :

ok, in fact you are right, there was a merge issue on the stable serie, that's a duplicate of bug #849027

Revision history for this message
Sebastien Bacher (seb128) wrote :

oh, and thanks for pointing it!

Revision history for this message
Matthew Eaton (meaton) wrote :

I ran the latest updates this morning and confirmed the fix. Thanks for your help!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.