Ubuntu
lightdm package

"Remote Login" account not confined by guest AppArmor profile

Bug #1049849 reported by Marc Deslauriers
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lightdm (Ubuntu)
Invalid
High
Ted Gould
lightdm-remote-session-freerdp (Ubuntu)
Fix Released
High
Ted Gould
lightdm-remote-session-uccsconfigure (Ubuntu)
Fix Released
High
Ted Gould

Bug Description

The "Guest" session in lightdm is launched confined by a very restrictive AppArmor profile for security reasons.

The new "Remote Login" session that has been added to Quantal is supposed to be using the same type of guest account restrictions, but isn't restricted by the guest AppArmor profile. This has a security impact on the default desktop.

ProblemType: Bug
DistroRelease: Ubuntu 12.10
Package: lightdm 1.3.3-0ubuntu4
ProcVersionSignature: Ubuntu 3.5.0-14.16-generic 3.5.3
Uname: Linux 3.5.0-14-generic x86_64
NonfreeKernelModules: nvidia
ApportVersion: 2.5.1-0ubuntu7
Architecture: amd64
Date: Wed Sep 12 10:09:10 2012
InstallationMedia: Ubuntu 12.10 "Quantal Quetzal" - Alpha amd64 (20120724.2)
ProcEnviron:
 LANGUAGE=en_CA:en
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_CA.UTF-8
 SHELL=/bin/bash
SourcePackage: lightdm
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

lp:~ted/lightdm-remote-session-uccsconfigure/apparmor-profile
Albert Astals Cid (community): Approve
jenkins (community): Approve (continuous-integration)
Diff: 192 lines (+138/-4)
5 files modified
Makefile.am (+28/-1)
configure.ac (+5/-1)
lightdm-remote-session-uccsconfigure.in (+71/-0)
uccsconfigure-session-wrapper.c (+32/-0)
uccsconfigure.desktop.in (+2/-2)
lp:~ted/lightdm-remote-session-freerdp/apparmor-profile
jenkins (community): Approve (continuous-integration)
FreeRDP Remote Team: Pending requested
Diff: 184 lines (+126/-6)
4 files modified
Makefile.am (+21/-4)
freerdp-session-wrapper.c (+32/-0)
freerdp.desktop.in (+2/-2)
lightdm-remote-session-freerdp.in (+71/-0)
lp:~remote-login-service-team/lightdm-remote-session-uccsconfigure/ubuntu
Michael Terry: Pending requested
Diff: 4009 lines (+3397/-75)
19 files modified
AUTHORS (+2/-1)
ChangeLog (+100/-0)
Makefile.am (+44/-3)
Makefile.in (+310/-44)
aclocal.m4 (+389/-0)
compile (+343/-0)
configure (+1328/-16)
configure.ac (+5/-1)
debian/changelog (+28/-0)
debian/control (+4/-1)
debian/rules (+5/-1)
debian/source/format (+0/-1)
depcomp (+708/-0)
firefox-uccsconfigure.desktop.in (+2/-1)
firefox-uccsconfigure.sh (+4/-0)
lightdm-remote-session-uccsconfigure.in (+71/-0)
uccsconfigure-session-wrapper.c (+32/-0)
uccsconfigure-session.in (+20/-4)
uccsconfigure.desktop.in (+2/-2)
lp:~freerdp-remote-team/lightdm-remote-session-freerdp/ubuntu
Michael Terry: Pending requested
Diff: 733 lines (+355/-47)
14 files modified
AUTHORS (+1/-0)
ChangeLog (+64/-0)
Makefile.am (+26/-4)
Makefile.in (+116/-24)
configure (+10/-10)
configure.ac (+1/-1)
debian/changelog (+11/-0)
debian/control (+4/-1)
debian/rules (+5/-1)
freerdp-session-wrapper.c (+32/-0)
freerdp-session.in (+1/-1)
freerdp.desktop.in (+2/-2)
lightdm-remote-session-freerdp.in (+71/-0)
socket-sucker.c (+11/-3)
lp:~ubuntu-desktop/lightdm-remote-session-freerdp/ubuntu
lp:ubuntu/quantal/lightdm-remote-session-freerdp
lp:~ubuntu-desktop/lightdm-remote-session-uccsconfigure/ubuntu
lp:ubuntu/quantal/lightdm-remote-session-uccsconfigure
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
tags: added: rls-q-incoming
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

How to reproduce:

- Guest account:
  - open session
  - open terminal
  - "cd /home;ls" should give "Permission denied" and dmesg should show AppArmor denial

- Remote Login:
  - Click on Remote Login help icon in greeter
  - Click on "Set up" button
  - open terminal
  - "cd /home;ls" should fail, but currently does not.

Ted Gould (ted)
Changed in lightdm (Ubuntu):
assignee: nobody → Ted Gould (ted)
importance: Undecided → High
Steve Beattie (sbeattie)
Changed in lightdm (Ubuntu):
status: New → Confirmed
Revision history for this message
Robert Ancell (robert-ancell) wrote :

The way AppArmour profiles are applied in lightdm is based on the session process name. So in the case of the guest session lightdm runs /usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper which then runs the actual session process (e.g. gnome-session). The binary name "/usr/lib/lightdm/lightdm/lightdm-guest-session-wrapper" is matched in the AppArmor profile /etc/apparmor.d/lightdm-guest-session.

For remote sessions lightdm doesn't run it through the guest wrapper so no AppArmor profile is applied by default. We could run it through the same wrapper but remote sessions probably want an even more restrictive profile (there should be no access to the local filesystem at all).

So in short, I think the packages lightdm-remote-session-freerdp and lightdm-remote-session-uccsconfigure packages should provide AppArmor profiles for /usr/lib/x86_64-linux-gnu/lightdm-remote-session-freerdp/freerdp-session and /usr/share/lightdm-remote-session-uccsconfigure/uccsconfigure-session.

This is about the limit of my knowledge of AppArmor - for more information ask Martin Pitt as he implemented this feature.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

Thinking over this has made me rethink how guest sessions are implemented in LightDM. The AppArmor code has always been an awkward fit in the daemon (which can't possibly know what resources a session will require). I propose for LightDM 1.6 that the guest sessions are externally defined with their own AppArmor profiles like the proposal for remote sessions is done (bug 1050739).

The downside of all this is each session requires its own AppArmor profile which will probably all be quite similar. I don't know if AppArmour has any support for simplifying this.

Ted Gould (ted)
Changed in lightdm-remote-session-freerdp (Ubuntu):
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Ted Gould (ted)
Changed in lightdm-remote-session-uccsconfigure (Ubuntu):
status: New → Confirmed
importance: Undecided → High
assignee: nobody → Ted Gould (ted)
Changed in lightdm (Ubuntu):
status: Confirmed → Invalid
Albert Astals Cid (aacid)
Changed in lightdm-remote-session-freerdp (Ubuntu):
status: Confirmed → Fix Committed
Changed in lightdm-remote-session-uccsconfigure (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm-remote-session-freerdp - 1.0-0ubuntu1

---------------
lightdm-remote-session-freerdp (1.0-0ubuntu1) quantal; urgency=low

  * New upstream release.
    * Adding apparmor wrapper to ensure protection (LP: #1049849)
  * debian/control:
    * Add depends on Apparmor
  * debian/rules: Add installing of apparmor profile
 -- Ted Gould <email address hidden> Wed, 19 Sep 2012 13:58:41 -0500

Changed in lightdm-remote-session-freerdp (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm-remote-session-uccsconfigure - 1.1-0ubuntu1

---------------
lightdm-remote-session-uccsconfigure (1.1-0ubuntu1) quantal; urgency=low

  * New upstream release.
    * Adding apparmor wrappers (LP: #1049849)
  * debian/control:
    * Going to arch any as we have a binary now
    * Adding dh_apparmor and suggests apparmor
  * debian/rules:
    * Adding apparmor build rules
 -- Ted Gould <email address hidden> Wed, 19 Sep 2012 13:53:16 -0500

Changed in lightdm-remote-session-uccsconfigure (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.