ltspfs in hardy doesnt work with LDM_DIRECTX=True set in lts.conf

Bug #218231 reported by Oliver Grawert on 2008-04-16
4
Affects Status Importance Assigned to Milestone
ltspfs (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: ltspfs

due to new security policy in ldm ltspfs devices can not be used if LDM_DIRECTX=True is set in lts.conf. ldm needs to store the actual DISPLAY value after login somewhere in the filesystem and add/remove_fstab_entry of ltspfs need to behave differently according to the LDM_DIRECTX variable (it needs to hand over the value of the DISPLAY where the security mcookie is set if we dont use ssh -X) .

Vagrant Cascadian (vagrantc) wrote :

in addition to *_fstab_entry, it will need to be fixed in /usr/share/ldm/rc.d/S10-delayed-mounter

Oliver Grawert (ogra) wrote :

=== modified file 'scripts/add_fstab_entry'
--- scripts/add_fstab_entry 2008-02-27 04:17:50 +0000
+++ scripts/add_fstab_entry 2008-04-17 16:16:14 +0000
@@ -35,8 +35,18 @@
 for LDM_SOCKET in /var/run/ldm_socket_*; do
     SERVER=${LDM_SOCKET##*_}
     if [ -S ${LDM_SOCKET} ]; then
+ unset SSH_OPTS
+ unset DISPLAY_INFO
+ case ${LDM_SOCKET} in
+ /var/run/ldm_socket_vt*)
+ SSH_OPTS="-X"
+ ;;
+ *)
+ DISPLAY_INFO="DISPLAY=$(echo ${LDM_SOCKET} | cut -d _ -f 3)"
+ ;;
+ esac
         # ltspfs needs access to the X display
- /usr/bin/ssh -X -S ${LDM_SOCKET} ${SERVER} \
- "/usr/sbin/ltspfsmounter ${MOUNTPOINT} add"
+ /usr/bin/ssh $SSH_OPTS -S ${LDM_SOCKET} ${SERVER} \
+ "$DISPLAY_INFO /usr/sbin/ltspfsmounter ${MOUNTPOINT} add"
     fi
 done

Oliver Grawert (ogra) wrote :

--- scripts/add_fstab_entry 2008-01-11 00:37:11.000000000 +0100
+++ scripts/add_fstab_entry.new 2008-04-17 22:07:09.000000000 +0200
@@ -28,10 +28,25 @@

 # Mount in the client session, if logged in.
 for LDM_SOCKET in /var/run/ldm_socket_*; do
+ SSH_OPTS="-X"
     SERVER=${LDM_SOCKET##*_}
     if [ -S ${LDM_SOCKET} ]; then
+ # see if we have a command with DISPLAY matching our socket
+ IS_DIRECTX=$(pgrep -f -l DISPLAY |grep ${LDM_SOCKET})
+
+ unset DISPLAY_INFO
+ # get the DISPLAY info for ltspfsmounter
+ if [ -n "${IS_DIRECTX}" ];then
+ unset SSH_OPTS
+ for line in $IS_DIRECTX; do
+ if [ -n "$(echo $line|grep DISPLAY)" ]; then
+ DISPLAY_INFO="${line}"
+ fi
+ done
+ fi
+
         # ltspfs needs access to the X display
- /usr/bin/ssh -X -S ${LDM_SOCKET} ${SERVER} \
- "/usr/sbin/ltspfsmounter ${MOUNTPOINT} add"
+ /usr/bin/ssh $SSH_OPTS -S ${LDM_SOCKET} ${SERVER} \
+ "$DISPLAY_INFO /usr/sbin/ltspfsmounter ${MOUNTPOINT} add"
     fi
 done

Oliver Grawert (ogra) wrote :
Oliver Grawert (ogra) wrote :

final patch to go into hardy if ubuntu-release allows (will go upstream as well with slight modifications)

Oliver Grawert (ogra) wrote :

and another improvement

Oliver Grawert (ogra) wrote :

more error checking in remove_fstab_entry

Vagrant Cascadian (vagrantc) wrote :

with the last udev-scripts-security-regression.dpatch applied on debian sid, i'm getting a regression with mounts appearing in /tmp/.USER-ltspfs/DEVICENAME

i'm also getting inconsistant behavior with cdpinger.

hrm.

Oliver Grawert (ogra) wrote :

i cant confirm that on hardy, cdpinger works fine and removes the device dirs.

Vagrant Cascadian (vagrantc) wrote :

ah, my mistake. i had left extra cruft in /usr/share/ldm/rc.d/ that was additionally getting executed. works fine now that i've fixed that.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ltspfs - 0.5.0~bzr20080109-3ubuntu2

---------------
ltspfs (0.5.0~bzr20080109-3ubuntu2) hardy; urgency=low

  * udev-scripts-security-regression.dpatch (LP: #218231) due to security fixes in
    ldm local devices didnt get the right DISPLAY variable to get their
    authentication info for mounting. This patch provides the DISPLAY variable in
    the udev scripts and disables X forwarding for the ssh tunnel accordingly.
  * cdrom-naming-regression.dpatch (LP: #218962) in this ltspfs release the cd
    service gets dynamically started from udev instead of running as a daemon.
    This change caused the mountpoint name in /media/$USER/ to become the
    devicename (i.e. dev-scsicd0) instead of the everywhere matched label
    "cdrom". The patch restores the old behavior of always setting the label
    to "cdrom" so the right icon will be applied on the desktop and the places
    menu.

 -- Oliver Grawert <email address hidden> Fri, 18 Apr 2008 01:56:29 +0200

Changed in ltspfs:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers