| 2021-03-29 00:52:12 |
Jonas Wiegert |
bug |
|
|
added bug |
| 2021-04-08 10:23:23 |
Norbert |
tags |
|
focal |
|
| 2021-04-08 10:23:51 |
Norbert |
bug task added |
|
lightdm (Ubuntu) |
|
| 2021-04-09 03:15:35 |
Gunnar Hjalmarsson |
tags |
focal |
focal groovy hirsute |
|
| 2021-04-09 03:15:57 |
Gunnar Hjalmarsson |
bug task added |
|
lightdm |
|
| 2021-04-09 03:18:13 |
Gunnar Hjalmarsson |
bug task deleted |
lightdm |
|
|
| 2021-04-09 03:25:10 |
Gunnar Hjalmarsson |
bug watch added |
|
https://github.com/canonical/lightdm/issues/185 |
|
| 2021-04-09 03:25:31 |
Gunnar Hjalmarsson |
lightdm (Ubuntu): status |
New |
Triaged |
|
| 2021-04-09 03:25:34 |
Gunnar Hjalmarsson |
lightdm (Ubuntu): importance |
Undecided |
Medium |
|
| 2021-04-10 22:54:24 |
Gunnar Hjalmarsson |
nominated for series |
|
Ubuntu Focal |
|
| 2021-04-10 22:54:24 |
Gunnar Hjalmarsson |
bug task added |
|
lightdm (Ubuntu Focal) |
|
| 2021-04-10 22:54:24 |
Gunnar Hjalmarsson |
nominated for series |
|
Ubuntu Hirsute |
|
| 2021-04-10 22:54:24 |
Gunnar Hjalmarsson |
bug task added |
|
lightdm (Ubuntu Hirsute) |
|
| 2021-04-10 22:54:24 |
Gunnar Hjalmarsson |
nominated for series |
|
Ubuntu Groovy |
|
| 2021-04-10 22:54:24 |
Gunnar Hjalmarsson |
bug task added |
|
lightdm (Ubuntu Groovy) |
|
| 2021-04-10 22:54:56 |
Gunnar Hjalmarsson |
lightdm (Ubuntu Hirsute): status |
Triaged |
Fix Committed |
|
| 2021-04-10 22:54:56 |
Gunnar Hjalmarsson |
lightdm (Ubuntu Hirsute): assignee |
|
Gunnar Hjalmarsson (gunnarhj) |
|
| 2021-04-10 22:55:21 |
Gunnar Hjalmarsson |
lightdm (Ubuntu Groovy): importance |
Undecided |
Medium |
|
| 2021-04-10 22:55:21 |
Gunnar Hjalmarsson |
lightdm (Ubuntu Groovy): status |
New |
Triaged |
|
| 2021-04-10 22:55:21 |
Gunnar Hjalmarsson |
lightdm (Ubuntu Groovy): assignee |
|
Gunnar Hjalmarsson (gunnarhj) |
|
| 2021-04-10 22:55:40 |
Gunnar Hjalmarsson |
lightdm (Ubuntu Focal): importance |
Undecided |
Medium |
|
| 2021-04-10 22:55:40 |
Gunnar Hjalmarsson |
lightdm (Ubuntu Focal): status |
New |
Triaged |
|
| 2021-04-10 22:55:40 |
Gunnar Hjalmarsson |
lightdm (Ubuntu Focal): assignee |
|
Gunnar Hjalmarsson (gunnarhj) |
|
| 2021-04-12 15:22:24 |
Launchpad Janitor |
lightdm (Ubuntu Hirsute): status |
Fix Committed |
Fix Released |
|
| 2021-04-12 15:34:33 |
Jonas Wiegert |
lightdm (Ubuntu Groovy): status |
Triaged |
Incomplete |
|
| 2021-04-12 18:09:15 |
Gunnar Hjalmarsson |
description |
Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon).
## How to reproduce:
- boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected.
- enable guest user session
- try to login as guest user
## Error logs:
### Error Message:
` Could not update file ICEauthority file /run/user/XXX/ICEauthority`
### aa-notify:
```
Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8125/uid_map
Denied: w
Logfile: /var/log/kern.log
Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8125/setgroups
Denied: w
Logfile: /var/log/kern.log
Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8125/gid_map
Denied: w
Logfile: /var/log/kern.log
Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8624/fd/
Denied: r
Logfile: /var/log/kern.log
```
### dmesg:
```
[ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0
[ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999 #ouid=0
[ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" denied_mask="r" fsuid=999 ouid=0
[ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0
[ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" requested_mask="l" denied_mask="l" fsuid=999 ouid=999 target="/run/user/999/ICEauthority-c"
```
## Solutions:
### bad but common work around
Solutions I found in different forums were to move lightdm-guest-session into complain mode like this:
`aa-complain /usr/lib/lightdm/lightdm-guest-session`
### maybe better sollution:
My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`:
```
...
/usr/lib/lightdm/lightdm-guest-session {
...
owner /run/user/[0-9]*/ICEauthority-? l,`
...
}
```
I honestly have no clue about apparmor and I'm unsure where to post this but I hope this maybe helps some other people in the future. |
[Impact]
If you enable the guest session feature on e.g. Ubuntu MATE, you are met by an error message when trying to enter a guest session:
"Could not update file ICEauthority file /run/user/XXX/ICEauthority"
Even if it's not always a fatal error (the login may succeed after a few minutes), the user experience is really bad, and you are inclined to conclude that you are completely blocked from using the feature.
The proposed fix adds a rule to the lightdm-guest-session AppArmor profile and prevents the error from happening.
[Test Plan]
On an updated Ubuntu MATE installation:
* Enable guest session
sudo sh -c 'printf "[Seat:*]\nallow-guest=true\n" >/etc/lightdm/lightdm.conf.d/50-enable-guest.conf'
* Install lightdm from {focal,groovy}-proposed
* Reboot
You should now be able to enter a guest session without being stopped by the ICEauthority error.
[Where problems could occur]
This one-liner is a harmless change.
The guest session is run in an unconfined mode since Ubuntu 16.10. That's why the feature is disabled by default.
So if the additional rule would be wrong somehow (which I have no reason to believe), it wouldn't break the AppArmor security layer for the simple reason that it's already broken to begin with.
[Original description]
Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon).
## How to reproduce:
- boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected.
- enable guest user session
- try to login as guest user
## Error logs:
### Error Message:
` Could not update file ICEauthority file /run/user/XXX/ICEauthority`
### aa-notify:
```
Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8125/uid_map
Denied: w
Logfile: /var/log/kern.log
Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8125/setgroups
Denied: w
Logfile: /var/log/kern.log
Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8125/gid_map
Denied: w
Logfile: /var/log/kern.log
Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8624/fd/
Denied: r
Logfile: /var/log/kern.log
```
### dmesg:
```
[ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0
[ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999 #ouid=0
[ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" denied_mask="r" fsuid=999 ouid=0
[ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0
[ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" requested_mask="l" denied_mask="l" fsuid=999 ouid=999 target="/run/user/999/ICEauthority-c"
```
## Solutions:
### bad but common work around
Solutions I found in different forums were to move lightdm-guest-session into complain mode like this:
`aa-complain /usr/lib/lightdm/lightdm-guest-session`
### maybe better sollution:
My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`:
```
...
/usr/lib/lightdm/lightdm-guest-session {
...
owner /run/user/[0-9]*/ICEauthority-? l,`
...
}
```
I honestly have no clue about apparmor and I'm unsure where to post this but I hope this maybe helps some other people in the future. |
|
| 2021-04-12 18:09:55 |
Gunnar Hjalmarsson |
lightdm (Ubuntu Groovy): status |
Incomplete |
In Progress |
|
| 2021-04-12 18:10:18 |
Gunnar Hjalmarsson |
lightdm (Ubuntu Focal): status |
Triaged |
In Progress |
|
| 2021-04-27 19:07:30 |
Brian Murray |
lightdm (Ubuntu Groovy): status |
In Progress |
Fix Committed |
|
| 2021-04-27 19:07:32 |
Brian Murray |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2021-04-27 19:07:35 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
| 2021-04-27 19:07:39 |
Brian Murray |
tags |
focal groovy hirsute |
focal groovy hirsute verification-needed verification-needed-groovy |
|
| 2021-04-27 19:08:44 |
Brian Murray |
lightdm (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
| 2021-04-27 19:08:50 |
Brian Murray |
tags |
focal groovy hirsute verification-needed verification-needed-groovy |
focal groovy hirsute verification-needed verification-needed-focal verification-needed-groovy |
|
| 2021-04-27 21:53:22 |
Gunnar Hjalmarsson |
tags |
focal groovy hirsute verification-needed verification-needed-focal verification-needed-groovy |
focal groovy hirsute verification-done verification-done-focal verification-done-groovy |
|
| 2021-05-06 08:14:12 |
Launchpad Janitor |
lightdm (Ubuntu Groovy): status |
Fix Committed |
Fix Released |
|
| 2021-05-06 08:14:18 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2021-05-06 08:48:18 |
Launchpad Janitor |
lightdm (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2021-07-31 10:46:43 |
Norbert |
tags |
focal groovy hirsute verification-done verification-done-focal verification-done-groovy |
verification-done |
|
| 2022-04-08 22:35:06 |
Martin Wimpress |
bug task deleted |
ubuntu-mate |
|
|
