lightdm does not provide an equivalent to the gdm guest session AppArmor profile

Bug #849027 reported by Jamie Strandboge
274
This bug affects 3 people
Affects Status Importance Assigned to Milestone
Light Display Manager
Fix Released
Undecided
Robert Ancell
lightdm (Ubuntu)
Fix Released
Critical
Martin Pitt
Oneiric
Fix Released
Critical
Martin Pitt

Bug Description

In all recent releases of Ubuntu, gdm provided an AppArmor profile for /usr/share/gdm/guest-session/Xsession in /etc/apparmor.d/gdm-guest-session to confine the guest user. LightDM should do the same.

Related branches

tags: added: regression-release
Revision history for this message
Martin Pitt (pitti) wrote :

Robert, can we just copy the profile from gdm-guest-session and provide a similar wrapper?

Changed in lightdm (Ubuntu Oneiric):
assignee: nobody → Robert Ancell (robert-ancell)
assignee: Robert Ancell (robert-ancell) → nobody
status: New → Triaged
importance: Undecided → High
assignee: nobody → Robert Ancell (robert-ancell)
tags: added: rls-mgr-o-tracking
Revision history for this message
Robert Ancell (robert-ancell) wrote :

I can't remember off hand what the exact reason was but when I was pulling the rules across it needed a wrapper script somewhere that lightdm didn't provide. I'll have another look and see if it works now if no-one beats me to it.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

This will have to be fixed post B2.

Revision history for this message
Martin Pitt (pitti) wrote :

This is a major release blocker. We already opened up the guest session to not require a previous login, so now being able to access other home directories is a nasty security regression. I'll have a stab at this.

security vulnerability: no → yes
Changed in lightdm (Ubuntu Oneiric):
milestone: none → ubuntu-11.10
importance: High → Critical
status: Triaged → In Progress
assignee: Robert Ancell (robert-ancell) → Martin Pitt (pitti)
Martin Pitt (pitti)
Changed in lightdm (Ubuntu Oneiric):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.0.0-0ubuntu4

---------------
lightdm (1.0.0-0ubuntu4) oneiric; urgency=low

  * Add 01_guest_session_lockdown.patch: Lock down guest session with an
    AppArmor profile. This uses the very same approach as gdm-guest-session,
    and copies the profile from it. (LP: #849027)
  * 03_launch_dbus.patch: Refresh.
  * debian/lightdm.install: Install AppArmor profile.
 -- Martin Pitt <email address hidden> Fri, 30 Sep 2011 17:30:56 +0200

Changed in lightdm (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

Reopening. The patch got correctly merged into trunk:

  http://bazaar.launchpad.net/~lightdm-team/lightdm/trunk/revision/1242

but only the second commit in my branch got merged into 1.0:

  http://bazaar.launchpad.net/~lightdm-team/lightdm/1.0/revision/1233

so we need the wrapper part back as a patch.

Changed in lightdm (Ubuntu Oneiric):
status: Fix Released → In Progress
Revision history for this message
Martin Pitt (pitti) wrote :

Robert, can you please fix the 1.0 branch to add the missing commit from trunk?

Changed in lightdm:
assignee: nobody → Robert Ancell (robert-ancell)
status: New → Confirmed
Revision history for this message
Martin Pitt (pitti) wrote :

Uploaded.

Changed in lightdm (Ubuntu Oneiric):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.0.1-0ubuntu5

---------------
lightdm (1.0.1-0ubuntu5) oneiric; urgency=low

  * Add debian/patches/00bzr_guest_session_wrapper.diff: Add back the guest
    session wrapper part that was uploaded in 1.0.0-0ubuntu4. The patch was
    correctly merged into trunk, but the 1.0 branch backport missed this
    wrapper part and thus broke AppArmor protection entirely. (LP: #849027)
 -- Martin Pitt <email address hidden> Fri, 07 Oct 2011 11:47:36 +0200

Changed in lightdm (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Revision history for this message
Robert Ancell (robert-ancell) wrote :

Whoops, I think I screwed up the -r option to bzr :( Should be fixed in 1.0.3

Changed in lightdm:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.