chromium-browser fails to start (guest account, OpenVZ): "Failed to move to new PID namespace: Operation not permitted"

Bug #577919 reported by lipstick on 2010-05-09
212
This bug affects 45 people
Affects Status Importance Assigned to Milestone
Chromium Browser
Unknown
Unknown
Light Display Manager
Medium
Unassigned
gdm-guest-session (Ubuntu)
Low
Unassigned
Precise
Undecided
Unassigned
lightdm (Ubuntu)
Medium
Jamie Strandboge
Precise
Undecided
Jamie Strandboge
lightdm-remote-session-freerdp (Ubuntu)
Undecided
Jamie Strandboge
Precise
Undecided
Unassigned
lightdm-remote-session-uccsconfigure (Ubuntu)
Undecided
Jamie Strandboge
Precise
Undecided
Unassigned

Bug Description

Binary package hint: chromium-browser

[Impact]
Chromium-browser does not launch from guest session.

Fix by Jamie Strandboge:
"It would be nice if AppArmor could merge profiles, but we can't yet, so we need to do like you initially did: have two mostly identical profiles. Because the lightdm remote sessions are shipping policy copies, the maintenance cost is getting high. I will be abstracting out the guest rules into abstracations/lightdm and then have a small snippet using a child profile in abstractions/lightdm_chromium-browser. The guest and remote lightdm profiles can just include these and all the policy is in the abstractions. Using a lightdm.d directory is a good idea, but upstream AppArmor is currently discussing how to best handle .d directories like this, and I'd rather not add another one until that discussions is finished."

[Test Case]
1. install chromium-browser
2. login to the guest account
3. login to vt1 or login via ssh as a regular user and verify that the lightdm profile
   is loaded and guest session applications are confined:
$ sudo aa-status
apparmor module is loaded.
...
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
...
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1378)
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1414)
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1417)
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (1418)
...

Note: number of profiles and pids will vary.

4. try to start chromium-browser either via the Dash or a terminal

Prior to upgrading, chromium-browser will fail to start with:
Failed to move to new PID namespace: Operation not permitted

After upgrading, the guest session should be functional and chromium-browser should start. In addition, aa-status should report a child profile for chromium-browser and chromium-browser should be under that confinement with other guest session applications under the lightdm-guest-session-wrapper confinement:
$ sudo aa-status
apparmor module is loaded.
...
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser
...
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (2667)
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (2672)
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper (2682)
...
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3090)
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3092)
   /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium_browser (3093)
...

[Regression Potential]
As mentioned in the Impact, the apparmor profile for lightdm has necessarily been broken out into multiple parts. As such, there is potential that the guest session profile won't
work correctly, however, this is easily seen in the test cases and these changes have been in place since 12.10.

[Other Info]
Attached is a debdiff for 12.04. It:
 - adds debian/patches/05_lp577919-fix-chromium-launch.patch which is the same as
   debian/patches/09_lp577919-fix-chromium-launch.patch from quantal, except it a)
   does not include the fix for bug #1059510, which is uneeded on precise and b)
   includes the fix for bug #1189948 to install the abstractions with the correct
   permissions
 - additionally, debian/lightdm.postinst is updated to reload the apparmor profile
   on upgrade to this version of lightdm. The code in question uses the same logic
   as dh_apparmor, and I'm not sure why lightdm doesn't use dh_apparmor. Rather than
   making several packaging changes to use dh_apparmor, I chose this option to reduce
   change.

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: chromium-browser 5.0.342.9~r43360-0ubuntu2
ProcVersionSignature: Ubuntu 2.6.32-22.33-generic 2.6.32.11+drm33.2
Uname: Linux 2.6.32-22-generic i686
Architecture: i386
Date: Sun May 9 19:49:44 2010
InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta i386 (20100318)
ProcEnviron:
 LANG=tr_TR.utf8
 SHELL=/bin/bash
SourcePackage: chromium-browser

lipstick (sinanaykut-gmail) wrote :

What is the error?

Ian McMichael (ian-sigma-uk) wrote :

I have also noticed this issue in guest sessions on the Lucid 32-bit Desktop installation. When attempting to run Chromium from a terminal the following output is given:

guest@custard:~$ chromium-browser
Failed to move to new PID namespace: Operation not permitted

The only workaround I have found so far is to re-install Firefox for guest session browsing. If you need any more information, please just ask.

Adam Langley (agl-chromium) wrote :

I assume that guest accounts can't run SUID binaries? Can you, for example, run ping?

SUID binaries are important for our default sandbox and I don't wish to encourage anyone to run without the sandbox enabled. We have another sandboxing technique in development, but it runs in conjunction with the SUID sandbox at the moment, not as an alternative. Over the long term we hope to retire the SUID one, but that won't happen soon.

In short, I believe that Firefox is probably the answer here for now. If this becomes a significant issue for many people then we could consider bodging it.

Ian McMichael (ian-sigma-uk) wrote :

It might be worth some further consideration if Chromium becomes the default browser in Maverick (10.10). However, you guessed correctly as here is the output of a ping:

guest@custard:~$ ping www.google.com
ping: icmp open socket: Permission denied

Marc Deslauriers (mdeslaur) wrote :

Reassigning to the gdm-guest-session package as the apparmor profile in that package is probably what is blocking this.

affects: chromium-browser (Ubuntu) → gdm-guest-session (Ubuntu)
tags: added: apparmor
Changed in gdm-guest-session (Ubuntu):
status: New → Confirmed
importance: Undecided → Low
Chris Williams (psion) wrote :

This also seems to occur when running Chromium under an OpenVZ container -- not because suid is disallowed, but presumably because of some related priviledge used for the sandboxing..

John Baptist (jepst79) wrote :

The apparmor-caused issue of Guest account not being able to run suid programs is actually farther-reaching. Beyond chromium, ping, virtualbox, and other programs that require suid binaries. gksudo doesn't work, which means that most of the items on the System|Administration menu fail with no error message. For example, the guest user selects System|Administration|Synaptic, and nothing happens. Perhaps apparmor could display a friendly GUI error message, or perhaps gksudo could be called through a wrapper that presents a friendly GUI error message?

Daniel Hahler (blueyed) wrote :

It is happening (suddenly) in OpenVZ for me, too, after having updated the OpenVZ kernel (linux-image-openvz-amd64 2.6.32+28 from Debian testing) and chromium-browser itself (chromium-browser 6.0.472.36~r55963-0ubuntu1~ucd1~hardy).

The workaround appears to be using "--no-sandbox".
Unfortunately this adds a warning/note during startup and is therefore not a good solution for my use case (browsershots.org instances).

Daniel Hahler (blueyed) wrote :

@Chris:
1. Are you using the OpenVZ kernel from Ubuntu Hardy?
2. What chromium-browser package are you using?

Changed in openvz-kernel:
status: New → Confirmed
summary: - chromium-browser can't open when the guest account is activated
+ chromium-browser fails to start (guest account, OpenVZ): "Failed to move
+ to new PID namespace: Operation not permitted"

This comment suggests a workaround:
  http://code.google.com/p/chromium/issues/detail?id=31077#c11

Since failure to move to a new PID namespace means you're no longer protected by the sandbox, we're reluctant to make it convenient to start in such a configuration.

Chris Williams (psion) wrote :

@Daniel, I am currently using a custom kernel 2.6.32.14 compiled from openvz-belyayev. The host is 64-bit Lucid, the guest 32-bit Lucid. I just retested using the latest from the Lucid repository, chromium-browser_5.0.375.125~r53311-0ubuntu0.10.04.1_i386, with the same results.

Daniel Hahler (blueyed) wrote :

Thanks, Evan, I have used the following now to make it work:
    dpkg-divert --add --rename --divert /usr/lib/chromium-browser/chromium-browser-sandbox.real /usr/lib/chromium-browser/chromium-browser-sandbox

@Chris: I'm just wondering if it's Chromium 6 or the kernel upgrade which triggered this for me.. I guess it's chromium though.

We have an upstream bug about this here:
  http://code.google.com/p/chromium/issues/detail?id=62248

Note that removing the sandbox makes Chromium on a guest account *less secure* than Chromium in a normal account.
A sandboxed Chromium does all of the page processing (HTML interpretation, running JavaScript) in a process that doesn't have access to the network or disk; by contrast, an apparmor-wrapper Chromium without a sandbox runs all of that at the same privilege as a normal app.

Mikko Rantalainen (mira) wrote :

Would it be possible for chrome/chromium package to include an apparmour config that says that chrome suid binary is ok even when run from inside the guest account? (I don't know the limits of apparmour configuration.)

Jamie Strandboge (jdstrand) wrote :

Yes it is possible. You specify a child profile in gdm-guest-session for chromium and transition to it when executing the binary.

Arnaud Vallat (rnoway) wrote :

Hello,

is there any follow up on this bug? I'm facing the same problem within a gdm guest session while launching google chrome.

Is it possible to have a pass-through profile for google-chrome within the gdm-guest-session. I mean a sub profile having with no rule only for google-chrome?

Regards

Daniel Hahler (blueyed) wrote :

Works for me using
1. Google Chrome 8 (8.0.552.237) and
2. OpenVZ kernel from Debian Squeeze (linux-image-2.6.32-5+blueyed.1-openvz-amd64 2.6.32-31blueyed.1 - I have just applied a custom config).

The hardware node and the containers are running Debian Squeeze (basically).

Arnaud Vallat (rnoway) wrote :

Thanks for the reply Daniel.

I would like to know if it's possible to have a sub profile for a specific executable which has no policy?

CPKS (c-1) wrote :

Confirm that chromium-browser won't run in a guest session under 11.10. Same old problem: "Failed to move to new PID namespace: Operation not permitted" - whereupon it hangs.

Dave Vree (hdave) wrote :

Confirm this is still a problem in 12.04.

Colan Schwartz (colan) on 2012-04-24
tags: added: amd64 oneiric precise
Speranskiy (sprnza) wrote :

Ubuntu 12.04 i386 it still here.

jeremiejig (jeremiejig) wrote :

First of all I apologize for my possible bad english.

Well I have the same problem and found some more information :

Description: Ubuntu 12:04:1 LTS
Release: 12.04
x86_64

When I look at my syslog file I found this line :

Aug 27 16:47:53 kernel: type=1400 audit(1346078873.846:2503): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper" name="/proc/3574/oom_score_adj" pid=3574 comm="chromium-browse" requested_mask="wc" denied_mask="wc" fsuid=119 ouid=119
Aug 27 16:47:53 kernel: type=1400 audit(1346078873.846:2504): apparmor="DENIED" operation="capable" parent=3574 profile="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper" pid=3578 comm="chromium-browse" capability=21 capname="sys_admin"

Also when launching chromiun in a shell I get this error :
Failed to move to new PID namespace: Operation not permitted

When I try to fix this error by creating a child profile in apparmor I'm now with this error :
Failed to determine real pocess id of new "init" process

the new syslog :

Aug 27 23:03:29 kernel: [206330.553415] type=1400 audit(1346101409.730:6150): apparmor="DENIED" operation="open" parent=9565 profile="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium" name="/proc/9854/oom_score_adj" pid=9854 comm="chromium-browse" requested_mask="wc" denied_mask="wc" fsuid=119 ouid=119
Aug 27 23:03:29 kernel: [206330.556458] type=1400 audit(1346101409.734:6151): apparmor="DENIED" operation="open" parent=1 profile="/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper//chromium" name="/proc/9859/status" pid=9859 comm="chromium-browse" requested_mask="r" denied_mask="r" fsuid=119 ouid=0

I'm still working around but due to the lack of information on apparmor profile it's a little hard.
In attachment the profile I last use as an attempt to fix the bug.

jeremiejig (jeremiejig) on 2012-08-27
Changed in gdm-guest-session (Ubuntu):
assignee: nobody → jeremiejig (pauljiang)
jeremiejig (jeremiejig) wrote :

Bug fix with the profile in attachment.

You can fix the bug by replacing the file /etc/apparmor.d/lightdm-guest-session by the one in attachment.

But I don't know how to fix it in the package of lightdm (seem to be a file provide by lightdm package)

Also before using my file as a way of fixing the bug I think we have to write the config file in a more appropriate way.

Changed in gdm-guest-session (Ubuntu):
assignee: jeremiejig (pauljiang) → nobody

The attachment "apparmor profile for guest-session fixed for chromium launch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-reviewers team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

jeremiejig (jeremiejig) wrote :

Because to fix the bug it seems like to be a modification of the file /etc/apparmor.d/lightdm-guest-session provide by this package.

affects: lightdm → lightdm (Ubuntu)
Changed in lightdm (Ubuntu):
status: New → Confirmed
jeremiejig (jeremiejig) on 2012-08-28
Changed in lightdm (Ubuntu):
status: New → Confirmed
jeremiejig (jeremiejig) on 2012-08-28
Changed in lightdm (Ubuntu):
assignee: nobody → jeremiejig (pauljiang)
status: Confirmed → In Progress
affects: lightdm (Ubuntu) → lightdm
jeremiejig (jeremiejig) wrote :

Well I work with some profile provide by the apparmor-profiles packages and succeed to fix the bug with separate file.

the archive as the following content :

drwxrwxr-x 0 2012-08-28 23:52 lightdm_chromium_fix/
-rw-rw-r-- 35978 2012-08-28 23:52 lightdm_chromium_fix/apparmor-profiles_2.7.102-0ubuntu3.1_all.deb
drwxrwxr-x 0 2012-08-28 23:40 lightdm_chromium_fix/etc/
drwxrwxr-x 0 2012-08-28 23:46 lightdm_chromium_fix/etc/apparmor.d/
drwxr-xr-x 0 2012-08-28 23:49 lightdm_chromium_fix/etc/apparmor.d/lightdm-guest-session.d/
-rw-r--r-- 3258 2012-08-28 23:42 lightdm_chromium_fix/etc/apparmor.d/lightdm-guest-session.d/java
-rw-r--r-- 6499 2012-08-28 23:49 lightdm_chromium_fix/etc/apparmor.d/lightdm-guest-session.d/usr.bin.chromium-browser
-rw-r--r-- 1863 2012-08-28 23:46 lightdm_chromium_fix/etc/apparmor.d/lightdm-guest-session
-rw-rw-r-- 98446 2012-08-28 23:52 lightdm_chromium_fix/lightdm_1.2.1-0ubuntu1.1_amd64.deb

the two .deb has some file I worked with.

the folder lightdm_chromium_fix has all file required to fix the bug.

But the file java is just here because of his presence in apparmor-profiles and doesn't do annything. It's just that I wanted to get it worked because of his presence.

With the hope to be clear.

PS: I don't know what status to put now.

Changed in lightdm:
assignee: jeremiejig (pauljiang) → nobody
Ruben Grimm (pmk1c) wrote :

I hope that the patch gets into 12.10 since Chromium is the default in Lubuntu and arguable the browser is the most important application to use as a guest user. I had to install Firefox just for guests.

Changed in lightdm (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Changed in lightdm (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: Confirmed → In Progress
Changed in lightdm-remote-session-uccsconfigure (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Triaged
Changed in lightdm-remote-session-freerdp (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → Triaged
Jamie Strandboge (jdstrand) wrote :

jeremiejig, thanks for your work on this. I think I am going to solve it in a different way however. It would be nice if AppArmor could merge profiles, but we can't yet, so we need to do like you initially did: have two mostly identical profiles. Because the lightdm remote sessions are shipping policy copies, the maintenance cost is getting high. I will be abstracting out the guest rules into abstracations/lightdm and then have a small snippet using a child profile in abstractions/lightdm_chromium-browser. The guest and remote lightdm profiles can just include these and all the policy is in the abstractions. Using a lightdm.d directory is a good idea, but upstream AppArmor is currently discussing how to best handle .d directories like this, and I'd rather not add another one until that discussions is finished.

Changed in lightdm-remote-session-freerdp (Ubuntu):
status: Triaged → In Progress
Changed in lightdm-remote-session-uccsconfigure (Ubuntu):
status: Triaged → In Progress
Changed in lightdm (Ubuntu):
status: In Progress → Fix Committed
Changed in lightdm-remote-session-freerdp (Ubuntu):
status: In Progress → Fix Committed
Changed in lightdm-remote-session-uccsconfigure (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.3.3-0ubuntu5

---------------
lightdm (1.3.3-0ubuntu5) quantal; urgency=low

  * debian/patches/08_lp1059510.patch: allow owner 'rw' access to
    /{,var/}run/user/guest-*/dconf/user. Also allow owner writes to sockets in
    /{,var/}run/user/guest-*/keyring-*/. (LP: #1059510)
  * debian/patches/09_lp577919-fix-chromium-launch.patch: allow launch of
    chromium-browser from guest session. (LP: #577919)
 -- Jamie Strandboge <email address hidden> Mon, 01 Oct 2012 10:15:51 -0500

Changed in lightdm (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm-remote-session-freerdp - 1.0-0ubuntu2

---------------
lightdm-remote-session-freerdp (1.0-0ubuntu2) quantal; urgency=low

  * use lightdm's AppArmor abstractions which pulls in fixes for LP: #577919
    and LP: #1059510
    - debian/control: use version Recommends on lightdm >= 1.3.3-0ubuntu5
      since it is the first to supply AppArmor abstractions
    - debian/patches/01_use-lightdm-apparmor-abstraction.patch: use lightdm's
      abstractions
 -- Jamie Strandboge <email address hidden> Mon, 01 Oct 2012 13:00:31 -0500

Changed in lightdm-remote-session-freerdp (Ubuntu):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm-remote-session-uccsconfigure - 1.1-0ubuntu2

---------------
lightdm-remote-session-uccsconfigure (1.1-0ubuntu2) quantal; urgency=low

  * use lightdm's AppArmor abstractions which pulls in fixes for LP: #577919
    and LP: #1059510
    - debian/control: use version Recommends on lightdm >= 1.3.3-0ubuntu5
      since it is the first to supply AppArmor abstractions
    - debian/patches/01_use-lightdm-apparmor-abstraction.patch: use lightdm's
      abstractions
 -- Jamie Strandboge <email address hidden> Mon, 01 Oct 2012 13:52:20 -0500

Changed in lightdm-remote-session-uccsconfigure (Ubuntu):
status: Fix Committed → Fix Released

As of today (October 6) the bug still exists here on my ubuntu 12.04.1 amd64 fully updated

jeremiejig (jeremiejig) wrote :

well that's normal because the bug was fixed and release for quantal version only.

zzecool (zzecool) wrote :

No its not normal because the bug exist in Quantal as well.... I just found this bug report because i faced the problem in Quantal some minutes ago

jeremiejig (jeremiejig) wrote :

Okay, so I install a fresh new install of Quantal on a VM for test.

I install chromium-browser, launch a guest-session, try to launch chromium-browser in the guest-session and it's working.

I don't that there are not some bug remaining, but as for me the program start and is usable.

Hendrik Knackstedt (hennekn) wrote :

Will this fix be released for Precise?

In theory if a system has support it should be released..
El 24/11/2012 14:10, "Hendrik Knackstedt" <email address hidden>
escribió:

> Will this fix be released for Precise?
>
> --
> You received this bug notification because you are subscribed to a
> duplicate bug report (924959).
> https://bugs.launchpad.net/bugs/577919
>
> Title:
> chromium-browser fails to start (guest account, OpenVZ): "Failed to
> move to new PID namespace: Operation not permitted"
>
> Status in Chromium Browser:
> Unknown
> Status in Light Display Manager:
> In Progress
> Status in OpenVZ kernel (patchset):
> Confirmed
> Status in “gdm-guest-session” package in Ubuntu:
> Confirmed
> Status in “lightdm” package in Ubuntu:
> Fix Released
> Status in “lightdm-remote-session-freerdp” package in Ubuntu:
> Fix Released
> Status in “lightdm-remote-session-uccsconfigure” package in Ubuntu:
> Fix Released
>
> Bug description:
> Binary package hint: chromium-browser
>
> When i opened my guest account to let my friend to use the computer,
> he couldn't run chromium-browser.
>
> But it works ok when my user account is activated
>
> ProblemType: Bug
> DistroRelease: Ubuntu 10.04
> Package: chromium-browser 5.0.342.9~r43360-0ubuntu2
> ProcVersionSignature: Ubuntu 2.6.32-22.33-generic 2.6.32.11+drm33.2
> Uname: Linux 2.6.32-22-generic i686
> Architecture: i386
> Date: Sun May 9 19:49:44 2010
> InstallationMedia: Ubuntu 10.04 "Lucid Lynx" - Beta i386 (20100318)
> ProcEnviron:
> LANG=tr_TR.utf8
> SHELL=/bin/bash
> SourcePackage: chromium-browser
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/chromium-browser/+bug/577919/+subscriptions
>

Changed in lightdm:
status: In Progress → Triaged
importance: Undecided → Medium
Changed in lightdm:
status: Triaged → Fix Committed

same problem here, i'm using google chrome stable and when i try to open as guest it does nothing, and when i try to open from console it says "Failed to move to new PID namespace: Operation not permitted" please fix it soon as possible, people are using my account to browse web, and no i won't use firefucks

Robert Ancell (robert-ancell) wrote :

Fixed in lightdm 1.5.1

Changed in lightdm:
status: Fix Committed → Fix Released
description: updated
Hendrik Knackstedt (hennekn) wrote :

Jamie, could you please upload your fix to precise-proposed?

tags: added: verification-needed

Chormium works on 12.10 (previous version don't), and I'm happy :)
Thank you very much!

Nevyn (nevynh) wrote :

Long term support?!? Be nice for this fix to be applied to Precise.... Will probably end up using jeremiejig's fix for the time being (1,600 machines. Don't want to have to remove apparmor).

hamish (hamish-b) wrote :

> Be nice for this fix to be applied to Precise....

ping

Tal Liron (emblem-parade) wrote :

Can this fix *please* be backported to Precise?

We follow the Ubuntu recommendations in using LTS releases for our large computer, but we are hurting right now because we are unable to offer Google Chrome to our guest users.

This is a major bug! It breaks one of the most commonly used programs in Ubuntu.

Jay Morgan (morganjayp) wrote :

Trying to use Ubuntu as a Kiosk platform. 13.04 doesn't work because the video is borked on our netbooks without nomodeset, which destroys the performance. I'd use 12.04 LTS, but Firefox doesn't work as guest on any version of ubuntu because it doesn't support proxy env vars. And on the LTS version... THIS? Is there a single version of Ubuntu that doesn't have a major show-stopping bug? Particularly with the ability to browse the internet? How can this be such a "low" priority when internet browsing is pretty much the whole point of the guest account? In this day, what function of the computer is more important than the internet browser? I don't want to admit that Windows ThinPC is a better kiosk platform than Ubuntu. But right now it is the only thing we can get working, and it is easy-peasy, where-as I've wasted close to two weeks trying to build a viable Ubuntu option, seemingly a simple task, due to all of these bugs...

Changed in lightdm (Ubuntu Precise):
assignee: nobody → Jamie Strandboge (jdstrand)
status: New → In Progress
Changed in lightdm-remote-session-freerdp (Ubuntu Precise):
status: New → Invalid
Changed in lightdm-remote-session-uccsconfigure (Ubuntu Precise):
status: New → Invalid
Jamie Strandboge (jdstrand) wrote :
description: updated
Changed in gdm-guest-session (Ubuntu Precise):
status: New → Won't Fix
description: updated
Jamie Strandboge (jdstrand) wrote :

Uploaded 1.2.3-0ubuntu2.2 to precise-proposed. It will be available in precise-proposed once ubuntu-sru reviews and approves it.

Hello lipstick, or anyone else affected,

Accepted lightdm into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lightdm/1.2.3-0ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lightdm (Ubuntu Precise):
status: In Progress → Fix Committed
Hendrik Knackstedt (hennekn) wrote :

The patch in -proposed fixes the problem for me on Lubuntu 12.04. Can launch and use Chromium in guest session without problems now.

Hendrik Knackstedt (hennekn) wrote :

The version I tested is from -proposed, so it should be 1.2.3-0ubuntu2.2 according to apt.

tags: added: verification-done
removed: verification-needed

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.2.3-0ubuntu2.2

---------------
lightdm (1.2.3-0ubuntu2.2) precise-proposed; urgency=low

  * debian/patches/05_lp577919-fix-chromium-launch.patch: allow launch of
    chromium-browser from guest session. (LP: #577919)
  * debian/lightdm.postinst: reload apparmor profile on upgrade
 -- Jamie Strandboge <email address hidden> Tue, 11 Jun 2013 11:11:42 -0500

Changed in lightdm (Ubuntu Precise):
status: Fix Committed → Fix Released
hamish (hamish-b) wrote :

Hi,

I just noticed in the new changelog.gz that this was fixed in the earlier upgrade, yay!

thanks very much,
Hamish

... now about all those zombies ...? :)

Dan Kegel (dank) wrote :

Uh-oh. I'm seeing this again with lightdm 1.6.0-0ubuntu3 on ubuntu 13.04 guest sessions
with Google Chrome 28.0.1500.95. Perhaps the bug is back in a slightly new form?

Jamie Strandboge (jdstrand) wrote :

@Dan

Can you report a new bug using 'ubuntu-bug apparmor' after using the guest session and testing chromium?

auspex (auspex) wrote :

AND on 13.10. Four years, and nobody gives a damn about making it REALLY work.

So, what you're saying is "we introduced a "guest" login, but we don't really want it to be able to do anything (who on earth suggested "Firefox" was a reasonable workaround?).

So, I have a workaround. Forget about every using the "Guest" account. Create an a real user account, and remove the password. It's surely less secure, but it can actually do real work.

Marc Deslauriers (mdeslaur) wrote :

@auspex: could you please file a new bug about the problem you're seeing, so we can actually debug it? Chromium works fine for me in the guest account in 13.10, and this bug was fixed almost a year ago. If you're having issues with Chromium in the 13.10 guest account, it's an unrelated issue.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.