lightdm login fails with NFS home and strict (mode 0700) permissions

Bug #877766 reported by Allen Belletti on 2011-10-18
124
This bug affects 22 people
Affects Status Importance Assigned to Milestone
Light Display Manager
Medium
Unassigned
lightdm (Ubuntu)
Medium
Unassigned
Oneiric
Medium
Robert Ancell

Bug Description

Lightdm appears not to be able to log in a user if all of the following are true:

1. They've got an NFS-mounted home directory
2. NFS is configured in the usual manner; ie, root privileges do not allow access to arbitrary remote files
3. The user's home directory permissions are such that "other" cannot access the directory (ie, mode 0700)

In this situation, the password is accepted and the screen clears. Rather than bringing up the desktop as expected, a couple of seconds pass and we're returned to the lightdm screen. This yielded a message in one of the /var/log/lightdm logs which I've just discovered was overwritten by subsequent successful logins. I'll recreate this and update the bug tonight.

Workaround was to chmod the user's homedir to 0711 which allowed lightdm to work properly.

Release is Ubuntu 11.10 with all updates as of 17 Oct 2011 at roughly 10pm EDT. Lightdm package is 1.0.1-0ubuntu6.

Related branches

John Bramley (john-bramley) wrote :
Download full text (4.7 KiB)

I have the same problem: logging in as a user with NFS home directory fails

permissions on users home directories: rwx------ (default as created by useradd)
NFS (v3) filesystem is not exported with root permission for client machine (i.e. no 'no_root_squash' option)

User enters username and password on login screen and then screen goes black and login window reappears.

Giving root access on the users home directory allows logins to work:

    chmod o+x <user home directory>

or if ACLs enabled for the filesystem:
    setfacl -m user:65534:x <user home directory>

without changes /var/log/lightdm/lightdm.log shows:
[+16.20s] WARNING: Failed to change to home directory /npdisks/home/jb: Permission denied

relevant lines in lightdm.log:
[+15.91s] DEBUG: Authenticate result for user jb: Success
[+15.91s] DEBUG: User jb authorized
[+15.91s] DEBUG: Wrote 24 bytes to greeter
[+15.95s] DEBUG: Read 8 bytes from greeter
[+15.95s] DEBUG: Read 10 bytes from greeter
[+15.95s] DEBUG: Greeter requests session ubuntu
[+15.95s] DEBUG: Stopping greeter
[+15.95s] DEBUG: Dropping privileges to uid 106
[+15.95s] DEBUG: Removing session authority from /var/lib/lightdm/.Xauthority
[+15.99s] DEBUG: Restoring privileges
[+15.99s] DEBUG: Sending signal 15 to process 7053
[+16.00s] DEBUG: Process 7053 exited with return value 0
[+16.00s] DEBUG: pam_close_session(0xc5a840) -> 0 (Success)
[+16.00s] DEBUG: pam_setcred(0xc5a840, PAM_DELETE_CRED) -> 0 (Success)
[+16.00s] DEBUG: pam_end(0xc5a840) -> 0
[+16.00s] DEBUG: Ending ConsoleKit session 137061b491bb03a23bfe54c90000029c-1319111371.735096-2139365219
[+16.09s] DEBUG: Greeter quit
[+16.09s] DEBUG: Starting user session
[+16.11s] DEBUG: Dropping privileges to uid 6057
[+16.11s] DEBUG: Writing /npdisks/home/jb/.dmrc
[+16.11s] DEBUG: Restoring privileges
[+16.15s] DEBUG: Starting session ubuntu as user logging to /npdisks/home/jb/.xsession-errors
[+16.15s] DEBUG: Launching session
[+16.15s] DEBUG: pam_set_item(0xc6a9f0, 3, ":0") -> 0 (Success)
[+16.16s] DEBUG: pam_open_session(0xc6a9f0, 0) -> 0 (Success)
[+16.19s] DEBUG: Opened ConsoleKit session 137061b491bb03a23bfe54c90000029c-1319111387.433106-1241632904
[+16.19s] DEBUG: Dropping privileges to uid 6057
[+16.19s] DEBUG: Adding session authority to /npdisks/home/jb/.Xauthority
[+16.20s] DEBUG: Restoring privileges
[+16.20s] DEBUG: Launching process 7148: /usr/sbin/lightdm-session 'gnome-session --session=ubuntu'
[+16.20s] WARNING: Failed to change to home directory /npdisks/home/jb: Permission denied
[+16.20s] DEBUG: Registering session with bus path /org/freedesktop/DisplayManager/Session0
[+16.20s] DEBUG: Process 7148 exited with return value 1
[+16.21s] DEBUG: pam_close_session(0xc6a9f0) -> 0 (Success)
[+16.21s] DEBUG: pam_setcred(0xc6a9f0, PAM_DELETE_CRED) -> 0 (Success)
[+16.21s] DEBUG: pam_end(0xc6a9f0) -> 0
[+16.21s] DEBUG: Ending ConsoleKit session 137061b491bb03a23bfe54c90000029c-1319111387.433106-1241632904
[+16.24s] DEBUG: User session quit

having a brief look at the source for lightdm, src/session.c :

    /* Change working directory */
    if (chdir (user_get_home_directory (user)) != 0)
    {
        g_warning ("Failed to change to home directory %s: %s"...

Read more...

Allen Belletti (allen-i) wrote :

A quick followup, and thanks to John since I hadn't gotten this data together yet. Yes, this is exactly the error situation that I saw in my logs as well.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lightdm (Ubuntu):
status: New → Confirmed
Sebastien Bacher (seb128) wrote :

Thank you for your work, Robert said he will look at it for the next SRU round

Changed in lightdm (Ubuntu Oneiric):
assignee: nobody → Robert Ancell (robert-ancell)
importance: Undecided → Medium
status: New → Triaged
Changed in lightdm (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Medium
Changed in lightdm:
status: New → Confirmed
summary: - lightdm login fails with NFS home
+ lightdm login fails with NFS home and strict (mode 0700) permissions
Axel Beckert (xtaran) wrote :

Hi,

Sebastien Bacher (seb128) wrote on 2011-10-25:
> Robert said he will look at it for the next SRU round

Any ETA when this will happen?

Ingar Smedstad (ingsme) wrote :

This may be the same problem I reported in Bug #914674

I notice this behaviour as well:

[+16.19s] DEBUG: Dropping privileges to uid 6057
[+16.19s] DEBUG: Adding session authority to /npdisks/home/jb/.Xauthority
[+16.20s] DEBUG: Restoring privileges
[+16.20s] DEBUG: Launching process 7148: /usr/sbin/lightdm-session 'gnome-session --session=ubuntu'
[+16.20s] WARNING: Failed to change to home directory /npdisks/home/jb: Permission denied

It looks like it restores privileges to root before trying to change to home directory and this naturally fails since root has no privileges there.

It looks like session.c tries to change working directory _before_ it tries to change user:

session.c:
Line 409:
    /* Change working directory */
    if (chdir (user_get_home_directory (user)) != 0)
    {
        g_warning ("Failed to change to home directory %s: %s", user_get_home_directory (user), strerror (errno));
        _exit (EXIT_FAILURE);
    }

    /* Change to this user */
    if (getuid () == 0)
    {
        if (initgroups (user_get_name (user), user_get_gid (user)) < 0)
        {
            g_warning ("Failed to initialize supplementary groups for %s: %s", user_get_name (user), strerror (errno));
            _exit (EXIT_FAILURE);
        }

        if (setgid (user_get_gid (user)) != 0)
        {
            g_warning ("Failed to set group ID to %d: %s", user_get_gid (user), strerror (errno));
            _exit (EXIT_FAILURE);
        }

        if (setuid (user_get_uid (user)) != 0)
        {
            g_warning ("Failed to set user ID to %d: %s", user_get_uid (user), strerror (errno));
            _exit (EXIT_FAILURE);
        }
    }

Reinhard Tartler (siretart) wrote :

robert, I've prepared a new upload for precise with a patch that moves the chdir syscall after the setuid call. On my test machine, this allows users to login with strict home permissions. See the attached bzr branch.

Changed in lightdm:
status: Confirmed → Triaged
importance: Undecided → Medium
Robert Ancell (robert-ancell) wrote :

Apologies, this one fell through the cracks. I've committed this change to upstream lightdm, and it will be in versions 1.0.8 and 1.1.4.

Changed in lightdm (Ubuntu):
status: Triaged → Fix Committed
Changed in lightdm:
status: Triaged → Fix Committed
Changed in lightdm:
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.1.4-0ubuntu1

---------------
lightdm (1.1.4-0ubuntu1) precise; urgency=low

  * New upstream release.
    - Change session directory once user permissions are set so it works
      on NFS filesystems that don't allow root to access files. (LP: #877766)
    - Restructure session code so the PAM authentication is run in its
      own process. (LP: #881466)
    - Set PAM_XDISPLAY and PAM_XAUTHDATA pam items (LP: #862559)
    - Don't send session stdout to .xsession-errors
    - Fix Qt bindings crash when removing a user
 -- Robert Ancell <email address hidden> Thu, 01 Mar 2012 20:54:07 +1100

Changed in lightdm (Ubuntu):
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

Reinhard, thank you for your -proposed upload! However, I have to reject it because today we got a security update (https://launchpad.net/ubuntu/+source/lightdm/1.0.6-0ubuntu1.4) and that version number is now taken. Can you please re-merge on top of that security update and reuplaod? Thanks!

Reinhard Tartler (siretart) wrote :

I've reuploaded the package as 1.0.6-0ubuntu1.5

Dan Bishop (danbishop) wrote :

Can confirm this is now fixed in Precise :D Thank you!

Tried this morning with version 1.1.6-0ubuntu1 on precise and this does indeed seem to be fixed.

Also fixed is the related problem with kerberized home directories I described over on bug #914674.

Thanks and keep up the great work!!

Applied the patches on top of lightdm-1.0.6-0ubuntu1.4 in Oneiric. Works great, also with kerberized logins and homes

Thank you!

Hello Allen, or anyone else affected,

Accepted lightdm into oneiric-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in lightdm (Ubuntu Oneiric):
status: Triaged → Fix Committed
tags: added: verification-needed

Hello,

enabled proposed and installed lightdm for Oneiric from it. It works for strict mode homes (mode 0700) over kerberized NFS

Cristiano

Allen Belletti (allen-i) wrote :

Hi All, I've changed jobs and no longer have access to the particular configuration which triggered this bug. However, based on the comments of others, I feel fully confident that it's been fixed. Thanks very much; it's great to see things constantly get better!

tags: added: verification-done
removed: verification-needed
Marc Deslauriers (mdeslaur) wrote :

Since the verification is done, I have bundled this in the lightdm security update I have released today. Marking as fix released.

Changed in lightdm (Ubuntu Oneiric):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Related questions