Ubuntu
lightdm package

Support a user-session mode for authenticating

Bug #1582242 reported by Michael Terry
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Light Display Manager
Fix Released
Medium
Robert Ancell
Light Display Manager 1.19.2
1.18
Fix Released
Medium
Robert Ancell
Light Display Manager 1.18.3
lightdm (Ubuntu)
Fix Released
High
Robert Ancell
Xenial
Fix Released
High
Robert Ancell
Yakkety
Fix Released
High
Robert Ancell

Bug Description

[Impact]
Ubuntu phone development requires in session greeter functionality to perform suitably. This functionality does not exist in current versions of LightDM.

[Test Case]
1. Install a session that supports in session greeter
2. Log into that session
3. Activate greeter functionality

Expected result:
It works

Observed result:
The functionality is not implemented.

[Regression Potential]
Some risk of changing existing behaviour, reduced by regression tests still passing. Functionality is only enabled for sessions that opt-in to this behaviour so additional security risks is limited to new sessions.

Original description:

We talked about this in person in Prague.

Ideally a greeter could run as in the user's session and act as a lockscreen for the user as well as a way to authenticate/log-in as other users.

This would let us avoid running a whole other session for the greeter on the phone, which is memory intensive.

It might be easiest for unity8 if that API was still just liblightdm, just running in a special mode. But I'm not picky on how it's done.

There may be security questions around this. I asked Jamie and Tyler about it, I'll post any concerns from them.

See original description
Michael Terry (mterry)
Changed in lightdm (Ubuntu):
assignee: nobody → Robert Ancell (robert-ancell)
Robert Ancell (robert-ancell)
Changed in lightdm (Ubuntu):
status: New → Triaged
importance: Undecided → High
status: Triaged → In Progress
Revision history for this message
Robert Ancell (robert-ancell) wrote :

This is now in lp:lightdm. To make an in-session greeter you need to set X-LightDM-Allow-Greeter=true in the session .desktop file. Then you can run a greeter using liblightdm from inside that session.

Only one greeter is allowed at once. Any process from the logged in user can connect (so there is a denial of service risk if the correct process doesn't get the socket first or loses it).

The socket is called /var/run/lightdm/<user>/greeter-socket. For security purposes it's probably worth locking this down with AppArmor rules.

Changed in lightdm (Ubuntu):
status: In Progress → Fix Committed
Robert Ancell (robert-ancell)
Changed in lightdm:
status: New → Fix Committed
milestone: none → 1.19.2
importance: Undecided → Medium
assignee: nobody → Robert Ancell (robert-ancell)
Robert Ancell (robert-ancell)
Changed in lightdm (Ubuntu Xenial):
status: New → Fix Committed
importance: Undecided → Medium
assignee: nobody → Robert Ancell (robert-ancell)
importance: Medium → Critical
importance: Critical → High
description: updated
Robert Ancell (robert-ancell)
Changed in lightdm:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.19.2-0ubuntu1

---------------
lightdm (1.19.2-0ubuntu1) yakkety; urgency=medium

  * New upstream release:
    * Add support for greeters running inside sessions. This is enabled by
      setting X-LightDM-Allow-Greeter inside the session .desktop file.
      The session can then use liblightdm to connect one greeter to the
      daemon. The communication is done using a socket
      (/var/run/lightdm/<user>/greeter-socket) that is accessible to any
      process run by that user. Consider controlling access to this socket
      using a MAC system such as AppArmor. (LP: #1582242)
    * Report errors for all liblightdm methods. This will require existing
      greeters to update their API usage. The ABI is unchanged.
    * Handle EAGAIN correctly when daemons communicate with the daemon.
    * Drop support for mir-container sessions - no-one ever used these.
  * debian/liblightdm-gobject-1-0.symbols:
    - Updated

 -- Robert Ancell <email address hidden> Wed, 29 Jun 2016 15:29:17 +1200

Changed in lightdm (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Michael, or anyone else affected,

Accepted lightdm into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lightdm/1.18.3-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-needed
Revision history for this message
Michael Terry (mterry) wrote :

Can we not backport 1.19.3? That has a few crashing issues with in-session greeters. There are fixes in trunk though, so 1.19.4 would be better.

Revision history for this message
Robert Ancell (robert-ancell) wrote :

1.18.3 should contain all those changes backported...

Revision history for this message
Robert Ancell (robert-ancell) wrote :

Michael - can you confirm if this is fixed in the SRU?

Revision history for this message
Michael Terry (mterry) wrote :

Oh, I think I remember confirming it at one point yeah.

Robert Ancell (robert-ancell)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.18.3-0ubuntu1

---------------
lightdm (1.18.3-0ubuntu1) xenial; urgency=medium

  * New upstream release:
    - Fix error that caused stdin to be closed. This seems to have lots of bad
      side effects (greeter not working correctly, multi-seat failing).
    - Add support for greeters running inside sessions. This is enabled by
      setting X-LightDM-Allow-Greeter inside the session .desktop file.
      The session can then use liblightdm to connect one greeter to the
      daemon. The communication is done using a socket
      (/var/run/lightdm/<user>/greeter-socket) that is accessible to any
      process run by that user. Consider controlling access to this socket
      using a MAC system such as AppArmor. (LP: #1582242)
    - Fix various memory management issues exposed by the use of in-session
      greeters.
  * debian/patches/lp1605117.patch:
    - Applied upstream

 -- Robert Ancell <email address hidden> Fri, 12 Aug 2016 11:37:43 +1200

Changed in lightdm (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote : Update Released

The verification of the Stable Release Update for lightdm has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.