Unity Greeter

Merge lp:~khurshid-alam/unity-greeter/systemd-240-fix into lp:unity-greeter

  1. systemd-240-fix
  2. Merge into trunk
Proposed by Khurshid Alam
Status: Merged
Merge reported by: Sebastien Bacher
Merged at revision: not available
Proposed branch: lp:~khurshid-alam/unity-greeter/systemd-240-fix
Merge into: lp:unity-greeter
Diff against target: 36 lines (+24/-2)
1 file modified
src/unity-greeter.vala (+24/-2)
To merge this branch: bzr merge lp:~khurshid-alam/unity-greeter/systemd-240-fix
Reviewer Review Type Date Requested Status
Sebastien Bacher Approve
Robert Ancell Approve
Seth Arnold (community) Approve
Marco Trevisan (Treviño) Pending
Review via email: mp+362993@code.launchpad.net

Commit message

According to systemd-dev,

"mlockall() is generally a bad idea and certainly has no place in a graphical program.
A program like this uses lots of memory and it is crucial that this memory can be paged
out to relieve memory pressure."

With systemd version 239 the ulimit for RLIMIT_MEMLOCK was set to 16 MiB
and therefore the mlockall call would fail. This is lucky becasue the subsequent mmap would not fail.

With systemd version 240 the RLIMIT_MEMLOCK is now set to 64 MiB
and now the mlockall no longer fails. However, it not possible to mmap in all
the memory and because that would still exceed the MEMLOCK limit.
"
See https://bugzilla.redhat.com/show_bug.cgi?id=1662857 &
https://github.com/CanonicalLtd/lightdm/issues/55

RLIMIT_MEMLOCK = 64 MiB means, unity-greeter will most likely fail with 64 bit and
will always fail on 32 bit systems.

To post a comment you must log in.
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Removing mlockall() makes sense. It'd be best to replace it with an explicit mlock for the memory that contains the password, and any other memory that may reflect an interaction with the password, as well as use memset_s() or similar standards-level memory clearing functions once the password is no longer needed.

Encrypted swap would also be worthwhile.

But this fix doesn't need to wait for these other mitigations to be put in place.

Thanks

review: Approve
Revision history for this message
Robert Ancell (robert-ancell) wrote :

I'm happy if security is happy.

review: Approve
Revision history for this message
Robert Ancell (robert-ancell) wrote :

@seth-arnold - does removing this call from the daemon (https://github.com/CanonicalLtd/lightdm/issues/55) also make sense?

Revision history for this message
Alberts Muktupāvels (muktupavels) wrote :

Should not it be better to simply remove this then? Not add big comment and comment out code...

Revision history for this message
Seth Arnold (seth-arnold) wrote :

Robert, how much memory does the daemon process take?

I also agree it'd be better to just delete one line than add a dozen lines of comments. I figured whoever did the work would probably reach the same conclusion independently.

Thanks

Revision history for this message
Robert Ancell (robert-ancell) wrote :

In 16.04 LTS lightdm is using about 350MB.

Revision history for this message
Sebastien Bacher (seb128) wrote :

setting as merged but I uploaded a version deleting the lines rather than commenting

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'src/unity-greeter.vala'
2--- src/unity-greeter.vala 2016-11-08 23:15:47 +0000
3+++ src/unity-greeter.vala 2019-02-11 17:17:50 +0000
4@@ -540,8 +540,30 @@
5
6 public static int main (string[] args)
7 {
8- /* Protect memory from being paged to disk, as we deal with passwords */
9- Posix.mlockall (Posix.MCL_CURRENT | Posix.MCL_FUTURE);
10+ /* Protect memory from being paged to disk, as we deal with passwords
11+
12+ According to systemd-dev,
13+
14+ "mlockall() is generally a bad idea and certainly has no place in a graphical program.
15+ A program like this uses lots of memory and it is crucial that this memory can be paged
16+ out to relieve memory pressure."
17+
18+ With systemd version 239 the ulimit for RLIMIT_MEMLOCK was set to 16 MiB
19+ and therefore the mlockall call would fail. This is lucky becasue the subsequent mmap would not fail.
20+
21+ With systemd version 240 the RLIMIT_MEMLOCK is now set to 64 MiB
22+ and now the mlockall no longer fails. However, it not possible to mmap in all
23+ the memory and because that would still exceed the MEMLOCK limit.
24+ "
25+ See https://bugzilla.redhat.com/show_bug.cgi?id=1662857 &
26+ https://github.com/CanonicalLtd/lightdm/issues/55
27+
28+ RLIMIT_MEMLOCK = 64 MiB means, unity-greeter will most likely fail with 64 bit and
29+ will always fail on 32 bit systems.
30+
31+ Hence we better disable it. */
32+
33+ /*Posix.mlockall (Posix.MCL_CURRENT | Posix.MCL_FUTURE);*/
34
35 /* Disable the stupid global menubar */
36 Environment.unset_variable ("UBUNTU_MENUPROXY");

Subscribers

People subscribed via source and target branches