lightdm no longer runs guest session through wrapper

Bug #1243339 reported by Christian Prim on 2013-10-22
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Light Display Manager
High
Robert Ancell
1.8
High
Robert Ancell
1.9
High
Robert Ancell
lightdm (Ubuntu)
High
Marc Deslauriers
Saucy
High
Marc Deslauriers
Trusty
High
Marc Deslauriers

Bug Description

The LightDM guest session is no longer run with AppArmor.

To reproduce:
1. Boot to Unity Greeter
2. Select "Guest"
3. Open terminal
4. Type 'ls /home'
Expected result:
Unable to see home directories
Observed result:
Able to see home directories

Regression potential:
There is a risk of the guest account being less capable if the AppArmor changes are not correct. The remote login feature also uses AppArmor and should be checked that it works with these changes.

Related branches

lp:~robert-ancell/lightdm/guest-wrapper
Robert Ancell: Approve on 2013-10-30
PS Jenkins bot: Approve (continuous-integration) on 2013-10-30

CVE References

Christian Prim (christian-prim) wrote :
information type: Private Security → Public Security
Marc Deslauriers (mdeslaur) wrote :

I confirm this, it seems the AppArmor profile isn't being applied by lightdm.

Changed in lightdm (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Marc Deslauriers (mdeslaur) wrote :

Looks like create_guest_session() in seat.c is using the session-wrapper config instead of using lightdm-guest-session-wrapper.

Marc Deslauriers (mdeslaur) wrote :

Nothing seems to be honouring the disable-guest-wrapper config item anymore either.

Marc Deslauriers (mdeslaur) wrote :

Enabling the guest account wrapper will likely block guest access to dbus, since the guest AppArmor profile doesn't seem to have been adjusted. We'll probably need to also add the following to data/apparmor/abstractions/lightdm:

  # Allow all DBus communications
  dbus,

Changed in lightdm:
status: New → Confirmed
assignee: nobody → Robert Ancell (robert-ancell)
Changed in lightdm (Ubuntu Saucy):
status: New → Confirmed
importance: Undecided → High
Changed in lightdm (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in lightdm (Ubuntu Saucy):
assignee: nobody → Marc Deslauriers (mdeslaur)
summary: - In guest-session guest has read-access to /home
+ lightdm no longer runs guest session through wrapper

On 2013-10-22 18:46:37, Marc Deslauriers wrote:
> We'll probably need to also add the following to
> data/apparmor/abstractions/lightdm:
>
> # Allow all DBus communications
> dbus,

After giving this some more thought, it is best to include the dbus
abstractions:

  # Allow all DBus communications
  #include <abstractions/dbus>
  #include <abstractions/dbus-session>
  #include <abstractions/dbus-accessibility>

This is needed because <abstractions/dbus> grants access to UNIX domain
socket for the system bus.

Seth Arnold (seth-arnold) wrote :

I was wondering if we even wanted to grant access to the system bus from the confined guest account -- why not just session and accessibility?

Thanks

Marc Deslauriers (mdeslaur) wrote :

I don't believe you can actually run a desktop without accessing the system bus.

Jamie Strandboge (jdstrand) wrote :

I think the approach here is correct for now, especially for this security update-- get the guest account confined with apparmor without dbus mediation (and remember the system bus will have policykit in effect too). This is what we did for other applications in Ubuntu in 13.10; we can examine more strict confinement going forward.

Marc Deslauriers (mdeslaur) wrote :

This is CVE-2013-4459

Marc Deslauriers (mdeslaur) wrote :

bug 1243801 is likely a side effect for the lack of dbus permissions in the AppArmor profile.

Robert Ancell (robert-ancell) wrote :

This is due to a change in lightdm 1.7.5 - the guest wrapper is now configurable and the Ubuntu package was not setting it.

The solution is to add a file into /etc/lightdm/lightdm.conf.d to set this, i.e.:

$ bzr diff
=== added file 'debian/50-guest-wrapper.conf'
--- debian/50-guest-wrapper.conf 1970-01-01 00:00:00 +0000
+++ debian/50-guest-wrapper.conf 2013-10-27 04:36:08 +0000
@@ -0,0 +1,2 @@
+[SeatDefaults]
+guest-wrapper=/usr/lib/lightdm/lightdm/lightdm-greeter-session

=== modified file 'debian/changelog'
--- debian/changelog 2013-10-16 02:54:44 +0000
+++ debian/changelog 2013-10-27 04:36:25 +0000
@@ -1,3 +1,10 @@
+lightdm (1.8.2-0ubuntu1) UNRELEASED; urgency=low
+
+ * debian/50-guest-wrapper.conf:
+ - Configure guest session wrapper to use
+
+ -- Robert Ancell <email address hidden> Sun, 27 Oct 2013 17:34:20 +1300
+
 lightdm (1.8.2-0ubuntu1) saucy; urgency=low

   * New upstream release:

=== modified file 'debian/lightdm.install'
--- debian/lightdm.install 2013-07-16 23:36:16 +0000
+++ debian/lightdm.install 2013-10-27 04:36:08 +0000
@@ -14,3 +14,4 @@
 debian/source_lightdm.py usr/share/apport/package-hooks
 debian/50-xserver-command.conf etc/lightdm/lightdm.conf.d
 debian/50-greeter-wrapper.conf etc/lightdm/lightdm.conf.d
+debian/50-guest-wrapper.conf etc/lightdm/lightdm.conf.d

Robert Ancell (robert-ancell) wrote :

Note that disable-guest-wrapper is no longer supported or required - this was needed when the guest wrapper was hard-coded into LightDM. Now it is configurable the tests can run without this option.

Robert Ancell (robert-ancell) wrote :

Argh, no the intention is to have this configurable. On closer inspection this wasn't implemented. Branch in progress...

Changed in lightdm:
importance: Undecided → High
status: Confirmed → In Progress
Robert Ancell (robert-ancell) wrote :

I have the guest wrapper working in lp:~robert-ancell/lightdm/guest-wrapper but Unity fails to start. Perhaps the AppArmor rule need updating too...

Tyler Hicks (tyhicks) wrote :

The AppArmor abstraction needs some updates due to AppArmor mediation changes that happened in Saucy. I need to do a little more testing with the policy changes and then I'll push an updated branch.

Tyler Hicks (tyhicks) wrote :

I pushed my branch with the AppArmor changes to lp:~tyhicks/lightdm/guest-wrapper-with-apparmor-changes and proposed a merge into Robert's branch.

Tyler Hicks (tyhicks) wrote :

I manually tested the guest session by viewing pages in firefox and chromium-browser, opening libreoffice, printing to a PDF, and viewing the PDF with evince.

I'm not sure how to test the remote sessions. Is that something you could do, Robert?

Robert Ancell (robert-ancell) wrote :

David Barth - can you confirm remote logins work in 13.10 with lp:lightdm?

Le 29/10/2013 10:04, Robert Ancell a écrit :
> That should be lp:~robert-ancell/lightdm/guest-wrapper, not lp:lightdm
Ok, will try that one

PS Jenkins bot (ps-jenkins) wrote :

Fix committed into lp:lightdm at revision 1832, scheduled for release in lightdm, milestone Unknown

Changed in lightdm:
status: In Progress → Fix Committed
Changed in lightdm (Ubuntu Saucy):
status: Confirmed → Triaged
Changed in lightdm (Ubuntu Trusty):
status: Confirmed → Triaged
Changed in lightdm (Ubuntu Trusty):
status: Triaged → In Progress
Changed in lightdm (Ubuntu Saucy):
status: Triaged → In Progress
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.9.2-0ubuntu1

---------------
lightdm (1.9.2-0ubuntu1) trusty; urgency=low

  * New upstream release:
    - Implement missing guest-wrapper functionality and enable it for Ubuntu.
    - Update AppArmor scripts to work in Ubuntu 13.10.
      (LP: #1243339)
 -- Robert Ancell <email address hidden> Wed, 30 Oct 2013 15:35:23 -0700

Changed in lightdm (Ubuntu Trusty):
status: In Progress → Fix Released
Changed in lightdm:
status: Fix Committed → Fix Released
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.8.4-0ubuntu1

---------------
lightdm (1.8.4-0ubuntu1) saucy-security; urgency=low

  [ Marc Deslauriers ]
  * SECURITY UPDATE: improper guest account confinement (LP: #1243339)
    - CVE-2013-4459

  [ Robert Ancell ]
  * New upstream release:
    - Implement missing guest-wrapper functionality and enable it for Ubuntu.
    - Update AppArmor scripts to work in Ubuntu 13.10. (LP: #1243339)
  * debian/50-guest-wrapper.conf:
    - Configure guest session wrapper to use

lightdm (1.8.3-0ubuntu1) saucy; urgency=low

  * New upstream release:
    - Correctly set $XDG_SESSION_CLASS for greeters. This was regressed in 1.7.5
      for ConsoleKit and was never passed to logind. logind/ConsoleKit treat
      greeter sessions without this set as user sessions. This causes greeters
      to show the lightdm user able to be logged in with.
      (LP: #1242939)
    - Set $USER when running the session-setup-script. This is a regression from
      1.7.5. (LP: #1245957)
    - Fix notification of sessions being logged out. This is a regression from
      1.7.5 and caused greeters to show sessions logged in after they had been
      logged out. (LP: #1245295)
 -- Marc Deslauriers <email address hidden> Mon, 04 Nov 2013 13:35:26 -0500

Changed in lightdm (Ubuntu Saucy):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers