From b2196018db4847fd4b66850e8bbebd2a0b00a12d Mon Sep 17 00:00:00 2001
From: Tyler Hicks <tyhicks@canonical.com>
Date: Thu, 30 Mar 2017 23:55:58 +0000
Subject: [PATCH] Detect existing malicious guest user home dirs

It was discovered that a local attacker could watch for lightdm's
guest-account script to create a /tmp/guest-XXXXXX file and then quickly
create the lowercase representation of the guest user's home directory
before lightdm could. This allowed the attacker to have control of the
guest user's home directory and, subsequently, gain control of an
arbitrary directory in the filesystem which could lead to privilege
escalation.

This patch fixes the issue by detecting failures in creating a directory
for the guest user's home directory. If the file (directory, symlink,
etc.) already exists at the path, mkdir will fail and the script will
exit. This means that it is still possible for a local user to carry out
a denial of service on the guest user login feature.
---
 debian/guest-account.sh | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/debian/guest-account.sh b/debian/guest-account.sh
index 48bbde6..f618390 100644
--- a/debian/guest-account.sh
+++ b/debian/guest-account.sh
@@ -35,7 +35,13 @@ add_account ()
   temp_home=$(mktemp -td guest-XXXXXX)
   GUEST_HOME=$(echo ${temp_home} | tr '[:upper:]' '[:lower:]')
   GUEST_USER=${GUEST_HOME#/tmp/}
-  [ ${GUEST_HOME} != ${temp_home} ] && mv ${temp_home} ${GUEST_HOME}
+  if [ "${GUEST_HOME}" != "${temp_home}" ]; then
+    mkdir "${GUEST_HOME}" || {
+      echo "Failed to create ${GUEST_USER}'s home directory (${GUEST_HOME})"
+      exit 1
+    }
+    rmdir "${temp_home}"
+  fi
 
   # if ${GUEST_USER} already exists, it must be a locked system account with no existing
   # home directory
-- 
2.7.4