lightdm no longer runs guest session through wrapper

I confirm this, it seems the AppArmor profile isn't being applied by lightdm.

Looks like create_guest_session() in seat.c is using the session-wrapper config instead of using lightdm-guest-session-wrapper.

Nothing seems to be honouring the disable-guest-wrapper config item anymore either.

Enabling the guest account wrapper will likely block guest access to dbus, since the guest AppArmor profile doesn't seem to have been adjusted. We'll probably need to also add the following to data/apparmor/abstractions/lightdm:

  # Allow all DBus communications
  dbus,

On 2013-10-22 18:46:37, Marc Deslauriers wrote:
> We'll probably need to also add the following to
> data/apparmor/abstractions/lightdm:
>
> # Allow all DBus communications
> dbus,

After giving this some more thought, it is best to include the dbus
abstractions:

  # Allow all DBus communications
  #include <abstractions/dbus>
  #include <abstractions/dbus-session>
  #include <abstractions/dbus-accessibility>

This is needed because <abstractions/dbus> grants access to UNIX domain
socket for the system bus.

I was wondering if we even wanted to grant access to the system bus from the confined guest account -- why not just session and accessibility?

Thanks

I don't believe you can actually run a desktop without accessing the system bus.

I think the approach here is correct for now, especially for this security update-- get the guest account confined with apparmor without dbus mediation (and remember the system bus will have policykit in effect too). This is what we did for other applications in Ubuntu in 13.10; we can examine more strict confinement going forward.

This is CVE-2013-4459

bug 1243801 is likely a side effect for the lack of dbus permissions in the AppArmor profile.

This is due to a change in lightdm 1.7.5 - the guest wrapper is now configurable and the Ubuntu package was not setting it.

The solution is to add a file into /etc/lightdm/lightdm.conf.d to set this, i.e.:

$ bzr diff
=== added file 'debian/50-guest-wrapper.conf'
--- debian/50-guest-wrapper.conf 1970-01-01 00:00:00 +0000
+++ debian/50-guest-wrapper.conf 2013-10-27 04:36:08 +0000
@@ -0,0 +1,2 @@
+[SeatDefaults]
+guest-wrapper=/usr/lib/lightdm/lightdm/lightdm-greeter-session

=== modified file 'debian/changelog'
--- debian/changelog 2013-10-16 02:54:44 +0000
+++ debian/changelog 2013-10-27 04:36:25 +0000
@@ -1,3 +1,10 @@
+lightdm (1.8.2-0ubuntu1) UNRELEASED; urgency=low
+
+ * debian/50-guest-wrapper.conf:
+ - Configure guest session wrapper to use
+
+ -- Robert Ancell <email address hidden> Sun, 27 Oct 2013 17:34:20 +1300
+
 lightdm (1.8.2-0ubuntu1) saucy; urgency=low

   * New upstream release:

=== modified file 'debian/lightdm.install'
--- debian/lightdm.install 2013-07-16 23:36:16 +0000
+++ debian/lightdm.install 2013-10-27 04:36:08 +0000
@@ -14,3 +14,4 @@
 debian/source_lightdm.py usr/share/apport/package-hooks
 debian/50-xserver-command.conf etc/lightdm/lightdm.conf.d
 debian/50-greeter-wrapper.conf etc/lightdm/lightdm.conf.d
+debian/50-guest-wrapper.conf etc/lightdm/lightdm.conf.d

Note that disable-guest-wrapper is no longer supported or required - this was needed when the guest wrapper was hard-coded into LightDM. Now it is configurable the tests can run without this option.

Argh, no the intention is to have this configurable. On closer inspection this wasn't implemented. Branch in progress...

I have the guest wrapper working in lp:~robert-ancell/lightdm/guest-wrapper but Unity fails to start. Perhaps the AppArmor rule need updating too...

The AppArmor abstraction needs some updates due to AppArmor mediation changes that happened in Saucy. I need to do a little more testing with the policy changes and then I'll push an updated branch.

I pushed my branch with the AppArmor changes to lp:~tyhicks/lightdm/guest-wrapper-with-apparmor-changes and proposed a merge into Robert's branch.

I manually tested the guest session by viewing pages in firefox and chromium-browser, opening libreoffice, printing to a PDF, and viewing the PDF with evince.

I'm not sure how to test the remote sessions. Is that something you could do, Robert?

David Barth - can you confirm remote logins work in 13.10 with lp:lightdm?

That should be lp:~robert-ancell/lightdm/guest-wrapper, not lp:lightdm

Le 29/10/2013 10:04, Robert Ancell a écrit :
> That should be lp:~robert-ancell/lightdm/guest-wrapper, not lp:lightdm
Ok, will try that one

Fix committed into lp:lightdm at revision 1832, scheduled for release in lightdm, milestone Unknown

This bug was fixed in the package lightdm - 1.9.2-0ubuntu1

---------------
lightdm (1.9.2-0ubuntu1) trusty; urgency=low

  * New upstream release:
    - Implement missing guest-wrapper functionality and enable it for Ubuntu.
    - Update AppArmor scripts to work in Ubuntu 13.10.
      (LP: #1243339)
 -- Robert Ancell <email address hidden> Wed, 30 Oct 2013 15:35:23 -0700

This bug was fixed in the package lightdm - 1.8.4-0ubuntu1

---------------
lightdm (1.8.4-0ubuntu1) saucy-security; urgency=low

  [ Marc Deslauriers ]
  * SECURITY UPDATE: improper guest account confinement (LP: #1243339)
    - CVE-2013-4459

  [ Robert Ancell ]
  * New upstream release:
    - Implement missing guest-wrapper functionality and enable it for Ubuntu.
    - Update AppArmor scripts to work in Ubuntu 13.10. (LP: #1243339)
  * debian/50-guest-wrapper.conf:
    - Configure guest session wrapper to use

lightdm (1.8.3-0ubuntu1) saucy; urgency=low

  * New upstream release:
    - Correctly set $XDG_SESSION_CLASS for greeters. This was regressed in 1.7.5
      for ConsoleKit and was never passed to logind. logind/ConsoleKit treat
      greeter sessions without this set as user sessions. This causes greeters
      to show the lightdm user able to be logged in with.
      (LP: #1242939)
    - Set $USER when running the session-setup-script. This is a regression from
      1.7.5. (LP: #1245957)
    - Fix notification of sessions being logged out. This is a regression from
      1.7.5 and caused greeters to show sessions logged in after they had been
      logged out. (LP: #1245295)
 -- Marc Deslauriers <email address hidden> Mon, 04 Nov 2013 13:35:26 -0500