lightdm doesn't drop privileges when reading ~/.dmrc

Bug #883865 reported by Marc Deslauriers on 2011-10-30
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lightdm (Ubuntu)
Medium
Unassigned
Oneiric
Medium
Unassigned
Precise
Medium
Unassigned

Bug Description

LightDM doesn't drop privileges when reading the ~/.dmrc file. This allows a local user to read configuration files he would normally not have read permissions for, for example, mysql configuration files that contain passwords.

How to reproduce:
1- Create a /etc/app.conf file owned by root with 600 permissions, containing the following:
[App]
password=xyz
2- Log in as a regular user
3- rm ~/.dmrc
4- ln -s /etc/app.conf ~/.dmrc
5- Log out, log back in
6- look at ~/.dmrc

Marc Deslauriers (mdeslaur) wrote :

This is CVE-2011-3153.

Marc Deslauriers (mdeslaur) wrote :

This issue is embargoed and has not been disclosed publicly.
We are requesting a coordinated release date (CRD) of <2011-11-15 17:00 UTC>.

Changed in lightdm (Ubuntu Oneiric):
status: New → Confirmed
importance: Undecided → Medium
Changed in lightdm (Ubuntu Precise):
status: New → Confirmed
importance: Undecided → Medium
Yves-Alexis Perez (corsac) wrote :

Note that it might be worth investigating for other issues like that. For the “write” vulnerability both .dmrc and .Xauthority were concerned, so .Xautority file reading might be a good idea to look at.

Marc Deslauriers (mdeslaur) wrote :

Here's a proposed patch.

Robert, does this look okay to you?

Robert Ancell (robert-ancell) wrote :

Yes, patch looks correct. I've applied it to trunk and the stable branch.

Robert Ancell (robert-ancell) wrote :

Note that in Ubuntu we're using AccountsService and this file is not read under normal conditions. It will affect any Ubuntu derivative that doesn't use Accounts Service however.

Changed in lightdm (Ubuntu Precise):
status: Confirmed → Fix Committed
Changed in lightdm (Ubuntu Oneiric):
status: Confirmed → Fix Committed
Yves-Alexis Perez (corsac) wrote :

Hmhmh, the commits break the embargo, afaict, since the repositories are public...

Marc Deslauriers (mdeslaur) wrote :

Yes, unfortunately the embargo is now broken since the commit is public.

@Robert: the file is most certainly read on Oneiric, I can reproduce the issue at will. Is something not working right with AccountsService?

Marc Deslauriers (mdeslaur) wrote :

This would call it:

void
user_set_xsession (User *user, const gchar *xsession)
{
    g_return_if_fail (user != NULL);

    call_method (user->priv->proxy, "SetXSession", g_variant_new ("(s)", xsession), "()", NULL);
    save_string_to_dmrc (user->priv->name, "Desktop", "Session", xsession);
}

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.0.6-0ubuntu1.1

---------------
lightdm (1.0.6-0ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: file contents disclosure via hard link
    - debian/patches/04_CVE-2011-4105.patch: make sure file isn't a symlink
      or a hard link before doing the chown on it.
    - CVE-2011-4105
  * SECURITY UPDATE: file contents disclosure via links (LP: #883865)
    - debian/patches/05_CVE-2011-3153.patch: drop privileges before
      accessing file.
    - CVE-2011-3153
 -- Marc Deslauriers <email address hidden> Tue, 15 Nov 2011 08:31:27 -0500

Changed in lightdm (Ubuntu Oneiric):
status: Fix Committed → Fix Released
visibility: private → public
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.0.6-0ubuntu3

---------------
lightdm (1.0.6-0ubuntu3) precise; urgency=low

  * SECURITY UPDATE: file contents disclosure via hard link
    - debian/patches/04_CVE-2011-4105.patch: make sure file isn't a symlink
      or a hard link before doing the chown on it.
    - CVE-2011-4105
  * SECURITY UPDATE: file contents disclosure via links (LP: #883865)
    - debian/patches/05_CVE-2011-3153.patch: drop privileges before
      accessing file.
    - CVE-2011-3153
 -- Marc Deslauriers <email address hidden> Tue, 15 Nov 2011 14:23:53 -0500

Changed in lightdm (Ubuntu Precise):
status: Fix Committed → Fix Released
Yves-Alexis Perez (corsac) wrote :

Note that the patch uses O_NOFOLLOW flag to open() which is Linux-only.

Yves-Alexis Perez (corsac) wrote :

This patch seems to fix the problem.

Yves-Alexis Perez (corsac) wrote :

Any news on this?

Marc Deslauriers (mdeslaur) wrote :

News on what exactly? The code isn't in trunk anymore, and we've applied the patch to our releases.

If you're looking for a patch that doesn't use O_NOFOLLOW, you might as well remove the offending code from lightdm altogether, that would be the best solution.

Yves-Alexis Perez (corsac) wrote :

Yes, good point, code is removed now, sorry for that.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers