[MIR] gdm3

Since this was in main previously, I don't see any reason to really block it, but it still ought to have some review by the Security team given the obvious security history for gdm and being a login manager.

I'm just getting started and thought I'd give some early feedback. There appears to be a lot more noise in the build logs than usual:

- 88 cases of "deprecation warning"
- chown and chmod errors in the build logs (below)
- lintian error and warning:
  E: gdm3 source: missing-build-dependency-for-dh_-command dh_autoreconf => dh-autoreconf
  W: gdm3 source: newer-standards-version 3.9.8 (current is 3.9.7)
- chmod/chown in debian/: WARNING:
  debian/gdm3.postinst:chown -R gdm:gdm /var/lib/gdm3
- /bin/sh as shell in debian/: WARNING:
  debian/gdm3.prerm:#!/bin/bash
- dh: unable to load addon gnome: Can't locate Debian/Debhelper/Sequence/gnome.pm in @INC (you may need to install the Debian::Debhelper::Sequence::gnome module) (@INC contains: /etc/perl /usr/local/lib/x86_64-linux-gnu/perl/5.22.1 /usr/local/share/perl/5.22.1 /usr/lib/x86_64-linux-gnu/perl5/5.22 /usr/share/perl5 /usr/lib/x86_64-linux-gnu/perl/5.22 /usr/share/perl/5.22 /usr/local/lib/site_perl /usr/lib/x86_64-linux-gnu/perl-base .) at (eval 13) line 2.

And the chown/chmod errors from the build logs:

if test '!' -d /<<PKGBUILDDIR>>/debian/tmp/var/run/gdm3; then \
        /bin/bash /<<PKGBUILDDIR>>/install-sh -d /<<PKGBUILDDIR>>/debian/tmp/var/run/gdm3; \
        chmod 0711 /<<PKGBUILDDIR>>/debian/tmp/var/run/gdm3; \
        chown root:gdm /<<PKGBUILDDIR>>/debian/tmp/var/run/gdm3 || : ; \
fi
chown: invalid group: â<80><98>root:gdmâ<80><99>
if test -n "gdm.service" -a '!' -d /<<PKGBUILDDIR>>/debian/tmp/lib/systemd/system; then \
        /bin/bash /<<PKGBUILDDIR>>/install-sh -d /<<PKGBUILDDIR>>/debian/tmp/lib/systemd/system; \
        chmod 0755 /<<PKGBUILDDIR>>/debian/tmp/lib/systemd/system; \
        chown root:root /<<PKGBUILDDIR>>/debian/tmp/lib/systemd/system || : ; \
        /usr/bin/install -c -m 644 ./gdm.service /<<PKGBUILDDIR>>/debian/tmp/lib/systemd/system/gdm.service; \
fi
if test '!' -d /<<PKGBUILDDIR>>/debian/tmp/var/run/gdm3/greeter; then \
        /bin/bash /<<PKGBUILDDIR>>/install-sh -d /<<PKGBUILDDIR>>/debian/tmp/var/run/gdm3/greeter; \
        chmod 0755 /<<PKGBUILDDIR>>/debian/tmp/var/run/gdm3/greeter; \
        chown gdm:gdm /<<PKGBUILDDIR>>/debian/tmp/var/run/gdm3/greeter || : ; \
fi
chown: invalid user: â<80><98>gdm:gdmâ<80><99>
if test '!' -d /<<PKGBUILDDIR>>/debian/tmp/var/lib/gdm3; then \
        /bin/bash /<<PKGBUILDDIR>>/install-sh -d /<<PKGBUILDDIR>>/debian/tmp/var/lib/gdm3; \
        chmod 1770 /<<PKGBUILDDIR>>/debian/tmp/var/lib/gdm3; \
        chown root:gdm /<<PKGBUILDDIR>>/debian/tmp/var/lib/gdm3 || : ; \
fi
chown: invalid group: â<80><98>root:gdmâ<80><99>
if test '!' -d /<<PKGBUILDDIR>>/debian/tmp/var/lib/gdm3/.local/share/applications; then \
        /bin/bash /<<PKGBUILDDIR>>/install-sh -d /<<PKGBUILDDIR>>/debian/tmp/var/lib/gdm3/.local/share/applications; \
        chmod 0755 /<<PKGBUILDDIR>>/debian/tmp/var/lib/gdm3/.local/share/applications; \
        chown gdm:gdm /<<PKGBUILDDIR>>/debian/tmp/var/lib/gdm3/.local/share/applications || : ; \
fi
chown: invalid user: â<80><98>gdm:gdmâ<80><99>
if test '!' -d /<<PKGBUILDDIR>>/debian/tmp/var/cache/gdm; then \
        /bin/bash /<<PKGBUILDDIR>>/install-sh -d /<<PKGBUILDDIR>>/debian/tmp/var/cach...

Seth, some of your lintian warnings are because you are using an old version of lintian. I don't get any lintian warnings here. 'bash' is Essential so I'm not sure why a script that specifies /bin/bash would be an issue.

I filed these bugs upstream:
https://bugzilla.gnome.org/783079 (chown)
https://bugzilla.gnome.org/783080
https://bugzilla.gnome.org/783081
https://bugzilla.gnome.org/783082

I'm setting to Incomplete and unassigning Ubuntu Security for now since Robert got a basic gnome-shell working without gdm's gir. The Desktop Team will see what happens with the work on having lightdm fully support gnome-shell (LP: #1694962) to determine whether this MIR will still be needed.

It's my understanding that gdm is required to start gnome-shell with wayland. I'm guessing "having lightdm fully support gnome-shell" will include wayland support?

lightdm does support GNOME on Wayland. It doesn't currently work on a default Ubuntu (Unity) 17.04 install because of LP: #1632772 but that was "fixed" in 17.10 by removing unity8 from the archives. (You're welcome to remove unity8 from your computer as a workaround.)

I've re-assigned it to security to get the wheels turning again. Turns out robert's gnome-shell upload didn't completely work without libgdm1 installed. libgdm1 provides gsettings schema that gnome-shell requires.

Status changed to 'Confirmed' because the bug affects multiple users.

Guys?

Hi Iain, this has not been forgotten, but keeps being superseded with other work.

Thanks

Since the decision to use gdm3 has been publicly announced, the Security Team does not want to hold up gdm3 from being promoted to main. The security review will continue and the results will be documented here (with additional bugs filed upstream as necessary) when complete. Meanwhile, gdm3 can move to main.

As Mathieu is currently on holidays and security +1 it, let's get that moved so that it can be seeded in tomorrow's image. Handling the promotion.

Override component to main
gdm3 3.24.2-1ubuntu3 in artful: universe/gnome -> main
gdm3 3.24.2-1ubuntu3 in artful amd64: universe/gnome/optional/100% -> main
gdm3 3.24.2-1ubuntu3 in artful arm64: universe/gnome/optional/100% -> main
gdm3 3.24.2-1ubuntu3 in artful armhf: universe/gnome/optional/100% -> main
gdm3 3.24.2-1ubuntu3 in artful i386: universe/gnome/optional/100% -> main
gdm3 3.24.2-1ubuntu3 in artful ppc64el: universe/gnome/optional/100% -> main
gdm3 3.24.2-1ubuntu3 in artful s390x: universe/gnome/optional/100% -> main
gir1.2-gdm-1.0 3.24.2-1ubuntu3 in artful amd64: universe/introspection/optional/100% -> main
gir1.2-gdm-1.0 3.24.2-1ubuntu3 in artful arm64: universe/introspection/optional/100% -> main
gir1.2-gdm-1.0 3.24.2-1ubuntu3 in artful armhf: universe/introspection/optional/100% -> main
gir1.2-gdm-1.0 3.24.2-1ubuntu3 in artful i386: universe/introspection/optional/100% -> main
gir1.2-gdm-1.0 3.24.2-1ubuntu3 in artful ppc64el: universe/introspection/optional/100% -> main
gir1.2-gdm-1.0 3.24.2-1ubuntu3 in artful s390x: universe/introspection/optional/100% -> main
libgdm-dev 3.24.2-1ubuntu3 in artful amd64: universe/libdevel/optional/100% -> main
libgdm-dev 3.24.2-1ubuntu3 in artful arm64: universe/libdevel/optional/100% -> main
libgdm-dev 3.24.2-1ubuntu3 in artful armhf: universe/libdevel/optional/100% -> main
libgdm-dev 3.24.2-1ubuntu3 in artful i386: universe/libdevel/optional/100% -> main
libgdm-dev 3.24.2-1ubuntu3 in artful ppc64el: universe/libdevel/optional/100% -> main
libgdm-dev 3.24.2-1ubuntu3 in artful s390x: universe/libdevel/optional/100% -> main
libgdm1 3.24.2-1ubuntu3 in artful amd64: universe/libs/optional/100% -> main
libgdm1 3.24.2-1ubuntu3 in artful arm64: universe/libs/optional/100% -> main
libgdm1 3.24.2-1ubuntu3 in artful armhf: universe/libs/optional/100% -> main
libgdm1 3.24.2-1ubuntu3 in artful i386: universe/libs/optional/100% -> main
libgdm1 3.24.2-1ubuntu3 in artful ppc64el: universe/libs/optional/100% -> main
libgdm1 3.24.2-1ubuntu3 in artful s390x: universe/libs/optional/100% -> main
Override [y|N]? y
25 publications overridden.

I reviewed gdm3 version 3.24.2-1ubuntu2 as checked into artful. This
should not be considered a full security audit but a quick gauge of
maintainability.

UCT has two CVEs: first, holding esc key allowed bypassing the lock screen.
Second, one REJECTed CVE that was assigned for the usual "desktop visible
shortly after suspend" issue that for some reason everyone is affected by
all the time. (It may not be user-friendly but locking before suspending
is the usual Linux way to make sure it's locked when re-waking.)

- gdm3 is a login/lock display manager
- Build-Depends: gnome-pkg-tools, debhelper, dconf-cli, intltool,
  libdbus-glib-1-dev, libglib2.0-dev, libgtk-3-dev, libpango1.0-dev,
  libcanberra-gtk3-dev, libfontconfig1-dev, libaccountsservice-dev,
  gnome-settings-daemon-dev, gnome-settings-daemon, libnss3-dev,
  libxcb1-dev, libx11-dev, libxau-dev, libxt-dev, libxext-dev, check,
  libgirepository1.0-dev, gobject-introspection, libpam0g-dev,
  libkeyutils-dev, libxdmcp-dev, libwrap0-dev, libxft-dev, libxi-dev,
  libxinerama-dev, libplymouth-dev plymouth-dev, yelp-tools,
  libselinux1-dev, libattr1-dev, iso-codes, libaudit-dev, docbook-xml,
  gsettings-desktop-schemas, libsystemd-dev, xserver-xorg-dev
- Does not itself do encryption
- Appears it still supports xdmcp
- pre-inst file deletes /etc/pam.d/gdm-launch-environment if upgrading
  from 3.10.0.1-3~ or earlier
- pre-rm file has very involved script to manage debconf and systemd
  service files
- post-inst file has involved script to add gdm group and user, manage
  debconf, systemd service files, convert gsettings to gconf, and restart
  gdm3 via invoke-rc.d
- post-rm file removes init scripts, /etc files, /var/*/gdm3 directories,
  gdm user, gdm group, and manages debconf
- initscript starts systemd logind, rebuilds configuration, uses
  start-stop-daemon to run gdm3
- systemd unit checks with /etc/X11/default-display-manager before
  running, loads in the environment from /etc/default/locale
- Fairly complicated dbus interfaces
- No setuid executables
- gdm-screenshot gdm3 and gdmflexiserver executables in the PATH
- No sudo fragments
- No udev rules

- Processes spawned extensively via glib wrappers. I didn't see any cases
  of unsafe data being mishandled but the amount of extra overhead in each
  execution is surprising.
- Memory management looked careful if wasteful.
- File management may suffer from leaky abstractions: e.g.
  create_auth_file() uses g_open() on the results of g_build_filename(),
  g_mkdir_with_parents(), and g_get_user_runtime_dir(), which doesn't have
  any error checking on most of these calls. (There's also no O_EXCL,
  O_NONBLOCK, O_NOCTTY, O_NOFOLLOW; I don't know if any of these would fit
  in the threat model of the application so they may not be security
  issues, but O_EXCL may be important for reliability.)

  Errors here appear to percolate to a NULL pointer added to an array in
  spawn_x_server() which will hopefully cause X to fail with an error
  ("expected argument" for the -auth parameter), but may have other
  consequences.
- Extensive logging, looked safe.
- Uses WAYLAND_DISPLAY RUNNING_UNDER_GDM GTK_MODULES DISPLAY XAUTHORITY
  GDM_SESSION_DBUS...