Ubuntu
sugar package

Sugar-Emulator has no access control

Bug #296604 reported by mungewell
6
Affects Status Importance Assigned to Milestone
Sugar
Unknown
Unknown
sugar (Ubuntu)
Fix Released
Critical
Unassigned

Bug Description

Binary package hint: sugar

Sugar-Emulator uses the '-ac' flag in the Xephyr command line, with turns off access control.

This means that anyone on the network can attach to the display/keyboard/mouse and interfer with the operation of Sugar (such as running xeyes, which goes full screen and can not be cancelled!).

With Xephyr on display :1
--
simon@destiny:~$ netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:6001 0.0.0.0:* LISTEN
tcp6 0 0 :::6001 :::* LISTEN
--

Simon.

Revision history for this message
mungewell (simon-mungewell) wrote :

A quick fix for this would be to use the Xauth file of the running/calling user.

The emulator.py should call 'xauth add <$display> . <random 128bit/32hex char>', and then Xephyr can be called without the '-ac' flag.

The Xephyr server still listens on the TCP/IP ports, but does not allow others to connect unless they have imported the same key to their Xauth file.

Simon.

Revision history for this message
mungewell (simon-mungewell) wrote :
Revision history for this message
Morgan Collett (morgan) wrote :

Reported upstream - I'll get your patch reviewed

Bug Watch Updater (bug-watch-updater)
Changed in sugar:
status: Unknown → New
Revision history for this message
mungewell (simon-mungewell) wrote :

Slight problem with patch, 1 in 16 chance that xauth will fail as leading 0 is dropped, new to python so don't know how to fix this....

--
DEBUG:sugar-emulator:Xauth command: xauth add :3 . a3dd93f39f280dad34d58d6f301a84f
xauth: (argv):1: key contains odd number of or non-hex characters
--

Simon.

Luke Faraone (lfaraone)
Changed in sugar:
assignee: nobody → lfaraone
status: New → In Progress
Luke Faraone (lfaraone)
Changed in sugar:
importance: Undecided → Low
status: In Progress → Triaged
Revision history for this message
mungewell (simon-mungewell) wrote :

Slightly better way of fixing leading zeros...

change
cmd2.append('%s' % hex(random.getrandbits(128))[2:-1])
for
cmd2.append('%032X' % random.getrandbits(128))

Simon.

Bug Watch Updater (bug-watch-updater)
Changed in sugar:
status: New → Confirmed
Revision history for this message
Luke Faraone (lfaraone) wrote :

Upstream has deferred to 0.86, so it'll be in Jaunty+1

Changed in sugar:
assignee: lfaraone → nobody
Revision history for this message
David Farning (dfarning) wrote :

This has been fixed as of the most recent release of sugar .88 on 10.4

Changed in sugar:
importance: Unknown → Critical
status: Confirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in sugar:
importance: Critical → Unknown
status: Fix Released → Confirmed
Revision history for this message
Brian Murray (brian-murray) wrote :

I imagine it was meant for the Ubuntu status and importance to be set to Fix Released and Critical - not the upstream task which was unset by the bug watch updater.

Changed in sugar (Ubuntu):
status: Triaged → Fix Released
importance: Low → Critical
Bug Watch Updater (bug-watch-updater)
Changed in sugar:
status: Confirmed → Unknown
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.