lightdm does not provide an equivalent to the gdm guest session AppArmor profile

Bug #849027 reported by Jamie Strandboge on 2011-09-13
274
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Light Display Manager
Undecided
Robert Ancell
lightdm (Ubuntu)
Critical
Martin Pitt
Oneiric
Critical
Martin Pitt

Bug Description

In all recent releases of Ubuntu, gdm provided an AppArmor profile for /usr/share/gdm/guest-session/Xsession in /etc/apparmor.d/gdm-guest-session to confine the guest user. LightDM should do the same.

Related branches

tags: added: regression-release
Martin Pitt (pitti) wrote :

Robert, can we just copy the profile from gdm-guest-session and provide a similar wrapper?

Changed in lightdm (Ubuntu Oneiric):
assignee: nobody → Robert Ancell (robert-ancell)
assignee: Robert Ancell (robert-ancell) → nobody
status: New → Triaged
importance: Undecided → High
assignee: nobody → Robert Ancell (robert-ancell)
tags: added: rls-mgr-o-tracking
Robert Ancell (robert-ancell) wrote :

I can't remember off hand what the exact reason was but when I was pulling the rules across it needed a wrapper script somewhere that lightdm didn't provide. I'll have another look and see if it works now if no-one beats me to it.

Robert Ancell (robert-ancell) wrote :

This will have to be fixed post B2.

Martin Pitt (pitti) wrote :

This is a major release blocker. We already opened up the guest session to not require a previous login, so now being able to access other home directories is a nasty security regression. I'll have a stab at this.

security vulnerability: no → yes
Changed in lightdm (Ubuntu Oneiric):
milestone: none → ubuntu-11.10
importance: High → Critical
status: Triaged → In Progress
assignee: Robert Ancell (robert-ancell) → Martin Pitt (pitti)
Martin Pitt (pitti) on 2011-09-30
Changed in lightdm (Ubuntu Oneiric):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.0.0-0ubuntu4

---------------
lightdm (1.0.0-0ubuntu4) oneiric; urgency=low

  * Add 01_guest_session_lockdown.patch: Lock down guest session with an
    AppArmor profile. This uses the very same approach as gdm-guest-session,
    and copies the profile from it. (LP: #849027)
  * 03_launch_dbus.patch: Refresh.
  * debian/lightdm.install: Install AppArmor profile.
 -- Martin Pitt <email address hidden> Fri, 30 Sep 2011 17:30:56 +0200

Changed in lightdm (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

Reopening. The patch got correctly merged into trunk:

  http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/revision/1242

but only the second commit in my branch got merged into 1.0:

  http://bazaar.launchpad.net/~lightdm-team/lightdm/1.0/revision/1233

so we need the wrapper part back as a patch.

Changed in lightdm (Ubuntu Oneiric):
status: Fix Released → In Progress
Martin Pitt (pitti) wrote :

Robert, can you please fix the 1.0 branch to add the missing commit from trunk?

Changed in lightdm:
assignee: nobody → Robert Ancell (robert-ancell)
status: New → Confirmed
Martin Pitt (pitti) wrote :

Uploaded.

Changed in lightdm (Ubuntu Oneiric):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.0.1-0ubuntu5

---------------
lightdm (1.0.1-0ubuntu5) oneiric; urgency=low

  * Add debian/patches/00bzr_guest_session_wrapper.diff: Add back the guest
    session wrapper part that was uploaded in 1.0.0-0ubuntu4. The patch was
    correctly merged into trunk, but the 1.0 branch backport missed this
    wrapper part and thus broke AppArmor protection entirely. (LP: #849027)
 -- Martin Pitt <email address hidden> Fri, 07 Oct 2011 11:47:36 +0200

Changed in lightdm (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Robert Ancell (robert-ancell) wrote :

Whoops, I think I screwed up the -r option to bzr :( Should be fixed in 1.0.3

Changed in lightdm:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers