ubuntu-advantage-desktop-daemon (pro client in general) may expose the pro token to other users
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-advantage-desktop-daemon (Ubuntu) |
Fix Released
|
High
|
Marco Trevisan (Treviño) | ||
ubuntu-advantage-tools (Ubuntu) |
Triaged
|
High
|
Unassigned |
Bug Description
While attaching through a desktop application the u-a-desktop-daemon may call pro process via
/usr/bin/python3 /usr/bin/ua attach ZCAb12TN2..........
And the token is visible to any user able to `ps` the system, potentially causing this info to be leaked.
Just use
gdbus call --system --dest com.canonical.
--object-path /com/canonical/
--method com.canonical.
and pro client attaching with visible token will be in the result of `ps aux|grep attach`
To prevent this to happen, the attach should pass the token to the client via an environment variable or a not readable --attach-config file.
In fact this happen when even attaching manually, as suggested in the official ubuntu pro website, but I feel it's not what we should ever do since passing a private token via args, may cause it to be leaked.
While for the usage of the pro client itself, it should *always* go through getpass-like or if some other interactive way (if we want keep it readable).
---
One way for the pro client to avoid exposing this for long time as it does now, would be, at least, to just make it re-exec itself when the token is passed as argument. Passing it as an internal env variable instead (better than creating a temporary attach-config, since that would imply IO and so potential slowdown).
---
ProblemType: BugDistroRelease: Ubuntu 22.04
Package: ubuntu-
ProcVersionSign
Uname: Linux 6.8.0-35-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.5
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: ubuntu:GNOME
Date: Tue Jun 11 02:39:48 2024
InstallationDate: Installed on 2010-07-10 (5084 days ago)Installatio
RebootRequiredPkgs: Error: path contained symlinks.
UpgradeStatus: Upgraded to jammy on 2020-06-14 (1457 days ago)
CVE References
description: | updated |
description: | updated |
Changed in ubuntu-advantage-desktop-daemon (Ubuntu): | |
assignee: | nobody → Marco Trevisan (Treviño) (3v1n0) |
status: | Triaged → In Progress |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in ubuntu-advantage-tools (Ubuntu): | |
assignee: | nobody → Sebastien Bacher (seb128) |
importance: | Undecided → High |
status: | Triaged → Fix Committed |
information type: | Private Security → Public Security |
Changed in ubuntu-advantage-tools (Ubuntu): | |
assignee: | Sebastien Bacher (seb128) → nobody |
status: | Fix Committed → Invalid |
status: | Invalid → Triaged |
Not sure if this also affects the API call `u.pro. attach. magic.wait. v1`, where the magic is passed, since in such case we should rely on further user interaction so it shouldn't be really a problem.
However, I guess also the `api` calls should support reading from a file other than stdin