lightdm xauthority path is wrong

Bug #1339727 reported by Jonathan Reed on 2014-07-09
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Medium
Steve Beattie
Trusty
Medium
Unassigned
Utopic
Medium
Steve Beattie

Bug Description

[impact]

This issue prevents X applications from working properly when lightdm is
used as a display manager.

[steps to reproduce]

1) run evince in a desktop session started from lightdm. If this bug has not been addressed, apparmor denials will be seen on the /run/lightdm/$USER/xauthority file in /var/log/syslog.

[regression potential]

The change in the patch for this bug is a slight loosening of
the apparmor policy for X applications. The risk of an introduced
regression is small.

[original description]

The default apparmor 'X' abstraction permits access to /{,var/}run/lightdm/authority/[0-9]*, ostensibly for the xauthority file. Except on Trusty, that's not where the xauthority file is. It is instead in /run/lightdm/$USER, and named "xauthority". I have had to udpated my apparmor configuration, lest apparmor convince Evince of being a filthy script kiddie, out to corrupt my xauth file.

Please consider adding the following to the 'X' abstraction:

owner /{,var/}run/lightdm/*/xauthority r,

Relevant info:

apparmor:
  Installed: 2.8.95~2430-0ubuntu5
  Candidate: 2.8.95~2430-0ubuntu5
  Version table:
 *** 2.8.95~2430-0ubuntu5 0
        500 http://mirrors.mit.edu/ubuntu/ trusty/main amd64 Packages
        100 /var/lib/dpkg/status

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in apparmor (Ubuntu):
status: New → Confirmed
Sergio Gelato (sergio-gelato) wrote :

I had to apply this change already in precise. (The issue affected me because I set [LightDM]user-authority-in-system-dir=true in lightdm.conf.)

Changed in apparmor (Ubuntu):
assignee: nobody → Steve Beattie (sbeattie)
Steve Beattie (sbeattie) on 2014-10-02
Changed in apparmor (Ubuntu):
importance: Undecided → High
status: Confirmed → In Progress
Changed in apparmor (Ubuntu Trusty):
status: New → Triaged
Changed in apparmor (Ubuntu Utopic):
importance: High → Medium
Changed in apparmor (Ubuntu Trusty):
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.98-0ubuntu2

---------------
apparmor (2.8.98-0ubuntu2) utopic; urgency=medium

  * Updated to apparmor 2.9.beta4 (aka apparmor 2.8.98)
    - fix logparsing memory leak (LP: #1340927)
    - incorporate fixes to regression testsuite to compensate for
      af_unix mediation, as well as extend test coverage
      (LP: #1375403, LP: #1375516)
    - fix libapparmor's log parsing code to accept additional rejection
      types (LP: #1375413)
    - fix X abstraction for changed lightdm xauthority file locations
      (LP: #1339727)
    - parser: disable downgrade and not enforced rule messages
      by default
    - fix error when using regex profile names in IPC rules
      (LP: #1373085)
    - updates and fixes to the python utilities
    - translation updates

  [ Steve Beattie ]
  * Removed upstreamed patches:
    drop-peer_addr-with-local-addr-in-base.patch,
    update_socketpair_tests_for_af_unix.patch,
    fix_socketpair_tests.patch, sanitized-helpers-updates.patch,
    01-tests-unix_socket_lists.patch,
    02-tests-accept_unix_rules_in_mkprofile.patch,
    03-tests-unix_sockets_v7_pathnames.patch,
    04-tests-migrate_from_poll_to_sockio_timeout.patch,
    05-tests-add_abstract_socket_tests.patch,
    06-tests-use_socketpair_and_none.patch,
    07-parser-fix_local_perms.patch,
    08-phpsysinfo-policy-updates.patch,
    09-apache2-policy-instructions.patch,
    10-lp1371771.patch, 11-lp1371765.patch,
    lp1169881.patch
  * refreshed etc-writable.patch and libapparmor-layout-deb.patch
  * debian/control: add breaks on python3-apparmor against older
    apparmor-utils that used to be where python bits lived
    (LP: #1373259)
  * debian/apport/source_apparmor.py:
   - fixes the apparmor apport hook so it does not raise an exception if
     a non-unicode character is found in /var/log/kern.log or in
     /var/log/syslog. This should work under python3 or python2.7
     (LP: #1304447)
   - adjusts the add_info() function to take the expected additional ui
     argument, though it has no need for it.
   - converts the log parsing code to use with statements so as not to
     leak open file descriptors
   - updates the set of packages to query to see if installed and if so,
     report the version of.
   - adjust import to make pyflakes job easier
   - minor pep8 cleanups

  [ Jamie Strandboge ]
  * add-chromium-browser.patch: don't allow writing to the oom score and
    adjust files since this allows chromium to change the values for any
    process matching our UID
  * debian/apparmor.upstart: check if click-apparmor md5sums changed so we
    regenerate the policy if it changes too (LP: #1371574)
  * debian/apparmor.init: make corresponding upstart change to initscript
  * debian/lib/apparmor/functions: fall back to using -n1 if the parser failed
    to load a profile set. This should be removed when the parser properly
    handles profile sets with corrupted profiles (LP: 1377338)
  * debian/control: fix typo (LP: #1187447)
 -- Steve Beattie <email address hidden> Thu, 09 Oct 2014 22:39:32 -0700

Changed in apparmor (Ubuntu Utopic):
status: In Progress → Fix Released
Steve Beattie (sbeattie) wrote :

Attached is a patch for trusty to address this issue as part of an SRU.

description: updated
Steve Beattie (sbeattie) wrote :

I managed to reproduce this rejection after setting user-authority-in-system-dir=true in lightdm.conf with apparmor 2.8.95~2430-0ubuntu5.1 from trusty-updates. I verified that with apparmor 2.8.95~2430-0ubuntu5.2 in trusty-proposed, the rejection on the Xauthority file no longer appears. Marking verification-done.

tags: added: verification-done
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.95~2430-0ubuntu5.2

---------------
apparmor (2.8.95~2430-0ubuntu5.2) trusty-proposed; urgency=medium

  * debian/patches/php5-Zend_semaphore-lp1401084.patch: allow php5
    abstraction access to Zend opcache files (LP: #1401084)
  * debian/patches/dnsmasq-lxc_networking-lp1403468.patch: update
    profile for lxc support (LP: #1403468)
  * debian/patches/profiles-texlive_font_generation-lp1010909.patch:
    allow generation of texlive fonts by sanitized-helpers
    (LP: #1010909)
  * debian/apport/source_apparmor.py: fix the apparmor apport hook
    so it does not raise an exception if a non-unicode character is
    found in /var/log/kern.log or in /var/log/syslog. This should
    work under python3 or python2.7 (LP: #1304447)
  * debian/patches/profiles-dovecot-updates-lp1296667.patch: update
    dovecot profiles to address several missing permissions.
    (LP: #1296667)
  * debian/patches/profiles-adjust_X_for_lightdm-lp1339727.patch:
    adjust X abstraction for LightDM xauthority location (LP: #1339727)
  * debian/patches/libapparmor-fix_memory_leaks-lp1340927.patch; fix
    memory leaks in log parsing component of libapparmor (LP: #1340927)
  * debian/patches/libapparmor-another_audit_format-lp1399027.patch:
    add support for another log format style (LP: #1399027)
  * debian/patches/tests-workaround_for_unix_socket_change-lp1425398.patch:
    work around apparmor kernel behavioral change in regression tests
    (LP: #1425398)
  * debian/control: add breaks on python3-apparmor against older
    apparmor-utils that used to be where python bits lived
    (LP: #1373259)
  * debian/patches/utils-update_to_2.9.2.patch: update the python
    utilities to the upstream 2.9.2 (LP: #1449769, incorporating a
    large number of fixes and improvements, including:
    - fix aa-genprof traceback with apparmor 2.8.95 (LP: #1294797)
    - fix aa-genprof crashing when selecting scan on Ubuntu 14.04 server
      (LP: #1319829)
    - make aa-logprof read profile instead of program binary
      (LP: #1317176, LP: #1324154)
    - aa-complain: don't traceback when marking multiple profiles
      (LP: #1378095)
    - make python tools able to parse mounts with UTF-8 non-ascii
      characters (LP: #1310598)

 -- Steve Beattie <email address hidden> Thu, 30 Apr 2015 12:18:08 -0700

Changed in apparmor (Ubuntu Trusty):
status: Triaged → Fix Released

The verification of the Stable Release Update for apparmor has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers