files written as root to user-controlled folders

Bug #834079 reported by Yves-Alexis Perez on 2011-08-25
274
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Light Display Manager
High
Martin Pitt
lightdm (Debian)
Fix Released
Unknown
lightdm (Ubuntu)
High
Martin Pitt
Oneiric
High
Martin Pitt

Bug Description

Hey,

as you were on CC: I guess you're already aware, but reporting so it can be tracked upstream.

Short version: http://seclists.org/oss-sec/2011/q3/393

Long version: .dmrc and Xauthority files are written by lightdm running as root while they're in user controlled folders. An user can, via a symlink, overwrite root-owned files. It doesn't look like it can achieve easily privilege-escalation (since the content is quite fixed) but it's still bad.

Basically the correct fix seems to have workers process which would setuid() to the user before writing content to those files.

CVE-2011-3349

Related branches

CVE References

visibility: private → public
Changed in lightdm (Debian):
status: Unknown → Confirmed
Changed in lightdm:
status: New → Triaged
importance: Undecided → High
Changed in lightdm (Ubuntu Oneiric):
importance: Undecided → High
Changed in lightdm (Ubuntu Oneiric):
assignee: nobody → Robert Ancell (robert-ancell)
Jamie Strandboge (jdstrand) wrote :

Added a 11.10 milestone since I don't know when this is planning on getting fixed, but we definitely don't want to release with this (as I'm sure we all agree :).

Changed in lightdm (Ubuntu Oneiric):
status: New → Triaged
milestone: none → ubuntu-11.10
Yves-Alexis Perez (corsac) wrote :

Robert, any news?

Robert Ancell (robert-ancell) wrote :

Absolutely agree, needs to be fixed for 1.0 (and 11.10 for Ubuntu).

Martin Pitt (pitti) on 2011-09-13
Changed in lightdm (Ubuntu Oneiric):
assignee: Robert Ancell (robert-ancell) → Martin Pitt (pitti)
status: Triaged → In Progress
Martin Pitt (pitti) on 2011-09-13
description: updated
Martin Pitt (pitti) wrote :

I can replicate the bug with creating a root owned /rootfile and ln -s /rootfile ~/.Xauthority. lightdm changes /rootfile then.

Writing ~/.dmrc uses g_file_set_contents() which is safe against symlink attacks. However, it's still more robust to drop privileges instead of chown()ing.

Martin Pitt (pitti) wrote :

Merge proposal sent.

Changed in lightdm (Ubuntu Oneiric):
status: In Progress → Fix Committed
Changed in lightdm:
status: Triaged → Fix Committed
assignee: nobody → Martin Pitt (pitti)
status: Fix Committed → In Progress
Martin Pitt (pitti) wrote :

Forgot to mention in changelog:

lightdm (0.9.5-0ubuntu2) oneiric; urgency=low

  * debian/lightdm.config: When installing from scratch as part of a release
    upgrade, default to lightdm, otherwise ask. (LP: #806559)
  * Add 04_dont_write_files_as_root.patch: Do not write ~/.dmrc and
    ~/.Xauthority as root. [CVE-2011-3349]
  * Add 00upstream_unlock_fix.patch: Only unlock displays if switched to from
    greeter. Cherrypicked from upstream r1137. (LP: #844274)

 -- Martin Pitt <email address hidden> Thu, 15 Sep 2011 08:52:24 +0200

Also fixed upstream now in 0.9.6.

Changed in lightdm (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Changed in lightdm:
status: In Progress → Fix Released
Changed in lightdm (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.