Ubuntu
ltspfs package

ltspfs in hardy doesnt work with LDM_DIRECTX=True set in lts.conf

Bug #218231 reported by Oliver Grawert on 2008-04-16

4

Affects

Status

Importance

Assigned to

Milestone

ltspfs (Ubuntu)

Fix Released

Undecided

Unassigned

You need to log in to change this bug's status.

Affecting:	ltspfs (Ubuntu)
Filed here by:	Oliver Grawert
When:	2008-04-16
Confirmed:	2008-04-21
Started work:	2008-04-21
Completed:	2008-04-21

Target

Distribution
Package	(Find…)
Project	(Find…)

Status	Importance
	Undecided

Assigned to

	Nobody
	Me

Comment on this change (optional)

Email me about changes to this bug report

(?)

Bug Description

Binary package hint: ltspfs

due to new security policy in ldm ltspfs devices can not be used if LDM_DIRECTX=True is set in lts.conf. ldm needs to store the actual DISPLAY value after login somewhere in the filesystem and add/remove_fstab_entry of ltspfs need to behave differently according to the LDM_DIRECTX variable (it needs to hand over the value of the DISPLAY where the security mcookie is set if we dont use ssh -X) .

Tags: Edit Tag help

Vagrant Cascadian (vagrantc) wrote on 2008-04-16:

#1

in addition to *_fstab_entry, it will need to be fixed in /usr/share/ldm/rc.d/S10-delayed-mounter

Oliver Grawert (ogra) wrote on 2008-04-17:

#2

=== modified file 'scripts/add_fstab_entry'
--- scripts/add_fstab_entry 2008-02-27 04:17:50 +0000
+++ scripts/add_fstab_entry 2008-04-17 16:16:14 +0000
@@ -35,8 +35,18 @@
for LDM_SOCKET in /var/run/ldm_socket_*; do
     SERVER=${LDM_SOCKET##*_}
     if [ -S ${LDM_SOCKET} ]; then
+ unset SSH_OPTS
+ unset DISPLAY_INFO
+ case ${LDM_SOCKET} in
+ /var/run/ldm_socket_vt*)
+ SSH_OPTS="-X"
+ ;;
+ *)
+ DISPLAY_INFO="DISPLAY=$(echo ${LDM_SOCKET} | cut -d _ -f 3)"
+ ;;
+ esac
         # ltspfs needs access to the X display
- /usr/bin/ssh -X -S ${LDM_SOCKET} ${SERVER} \
- "/usr/sbin/ltspfsmounter ${MOUNTPOINT} add"
+ /usr/bin/ssh $SSH_OPTS -S ${LDM_SOCKET} ${SERVER} \
+ "$DISPLAY_INFO /usr/sbin/ltspfsmounter ${MOUNTPOINT} add"
     fi
done

Oliver Grawert (ogra) wrote on 2008-04-17:

#3

--- scripts/add_fstab_entry 2008-01-11 00:37:11.000000000 +0100
+++ scripts/add_fstab_entry.new 2008-04-17 22:07:09.000000000 +0200
@@ -28,10 +28,25 @@

# Mount in the client session, if logged in.
for LDM_SOCKET in /var/run/ldm_socket_*; do
+ SSH_OPTS="-X"
     SERVER=${LDM_SOCKET##*_}
     if [ -S ${LDM_SOCKET} ]; then
+ # see if we have a command with DISPLAY matching our socket
+ IS_DIRECTX=$(pgrep -f -l DISPLAY |grep ${LDM_SOCKET})
+
+ unset DISPLAY_INFO
+ # get the DISPLAY info for ltspfsmounter
+ if [ -n "${IS_DIRECTX}" ];then
+ unset SSH_OPTS
+ for line in $IS_DIRECTX; do
+ if [ -n "$(echo $line|grep DISPLAY)" ]; then
+ DISPLAY_INFO="${line}"
+ fi
+ done
+ fi
+
         # ltspfs needs access to the X display
- /usr/bin/ssh -X -S ${LDM_SOCKET} ${SERVER} \
- "/usr/sbin/ltspfsmounter ${MOUNTPOINT} add"
+ /usr/bin/ssh $SSH_OPTS -S ${LDM_SOCKET} ${SERVER} \
+ "$DISPLAY_INFO /usr/sbin/ltspfsmounter ${MOUNTPOINT} add"
     fi
done

Oliver Grawert (ogra) wrote on 2008-04-17:

#4

udev-scripts-security-regression.dpatch Edit (4.0 KiB, text/plain)

Oliver Grawert (ogra) wrote on 2008-04-17:

#5

udev-scripts-security-regression.dpatch Edit (3.7 KiB, text/plain)

final patch to go into hardy if ubuntu-release allows (will go upstream as well with slight modifications)

Oliver Grawert (ogra) wrote on 2008-04-17:

#6

udev-scripts-security-regression.dpatch Edit (3.6 KiB, text/plain)

and another improvement

Oliver Grawert (ogra) wrote on 2008-04-17:

#7

udev-scripts-security-regression.dpatch Edit (3.8 KiB, text/plain)

more error checking in remove_fstab_entry

Vagrant Cascadian (vagrantc) wrote on 2008-04-19:

#8

with the last udev-scripts-security-regression.dpatch applied on debian sid, i'm getting a regression with mounts appearing in /tmp/.USER-ltspfs/DEVICENAME

i'm also getting inconsistant behavior with cdpinger.

hrm.

Oliver Grawert (ogra) wrote on 2008-04-19:

#9

i cant confirm that on hardy, cdpinger works fine and removes the device dirs.

Vagrant Cascadian (vagrantc) wrote on 2008-04-20:

#10

ah, my mistake. i had left extra cruft in /usr/share/ldm/rc.d/ that was additionally getting executed. works fine now that i've fixed that.

Launchpad Janitor (janitor) wrote on 2008-04-21:

#11

This bug was fixed in the package ltspfs - 0.5.0~bzr20080109-3ubuntu2

---------------
ltspfs (0.5.0~bzr20080109-3ubuntu2) hardy; urgency=low

  * udev-scripts-security-regression.dpatch (LP: #218231) due to security fixes in
    ldm local devices didnt get the right DISPLAY variable to get their
    authentication info for mounting. This patch provides the DISPLAY variable in
    the udev scripts and disables X forwarding for the ssh tunnel accordingly.
  * cdrom-naming-regression.dpatch (LP: #218962) in this ltspfs release the cd
    service gets dynamically started from udev instead of running as a daemon.
    This change caused the mountpoint name in /media/$USER/ to become the
    devicename (i.e. dev-scsicd0) instead of the everywhere matched label
    "cdrom". The patch restores the old behavior of always setting the label
    to "cdrom" so the right icon will be applied on the desktop and the places
    menu.

-- Oliver Grawert <email address hidden> Fri, 18 Apr 2008 01:56:29 +0200

Changed in ltspfs:
status:	New → Fix Released

Report a bug

This report contains Public information Edit

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

Add patch

Bug attachments

udev-scripts-security-regression.dpatch (edit)

Add attachment