Please confine guest sessions again

Bug #1742912 reported by Balint Reczey
128
This bug affects 23 people
Affects Status Importance Assigned to Milestone
lightdm (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

This is a continuation of LP: #1663157 where as a workaround for the guest session not being confined the session got disabled. This bug tracks the fix for proper confinement.

Original bug report text:

Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined.

The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command:

 $ cat /proc/self/attr/current

Expected output, as seen in Ubuntu 16.04 LTS, is:

 /usr/lib/lightdm/lightdm-guest-session (enforce)

Running the command inside of an Ubuntu 16.10 and newer guest session results in:

 unconfined

Doug McMahon (mc3man)
Changed in lightdm (Ubuntu):
status: New → Confirmed
Revision history for this message
Gunnar Hjalmarsson (gunnarhj) wrote :
Revision history for this message
Open Sense Solutions (opensense) wrote :

Please note that the simple test ( cat /proc/self/attr/current ) can be misleading.

I tried that in Ubuntu 18.04 ( switched to lightdm ) and got "(enforce)" but some applications like the file manager could browse other user's home directories. Most applications including firefox and libreoffice are restricted. In Xubuntu the file manager is restricted as well as every other application I tried.

Is it possible to just eliminate certain applications or prevent launching applications in specific ways to guarantee a restricted guest sessions?

Revision history for this message
Open Sense Solutions (opensense) wrote :

I figured out why the simple test didn't work - when I first installed Ubuntu 18.04, gnome-terminal wouldn't accept any keyboard input, I assumed it was just a pre-alpha bug and installed terminator. Installing terminator switched itself to the default including launching with ctrl-alt-t , and terminator does get apparmor restricted. When I paste in "cat /proc/self/attr/current" into a gnome-terminal it shows unconfined.

tags: added: id-5a57962350afc7d4aa391919
Revision history for this message
Jarno Suni (jarnos) wrote :

I tested this on Xubuntu 18.04.3, and xfce4-terminal gives the expected output (like xterm as well). I do not see how this should depend on the terminal application used. I guess it is pretty safe to use guest session in Xubuntu.

Revision history for this message
Jarno Suni (jarnos) wrote :

I installed gnome-terminal and got 'unconfined'. So I could view the home directory of another user, but if the directories had no permissions for Other group, I could not view the contents in guest session. So I think a better solution than disabling guest sessions is to make proper default permissions for directories under /home directory.

Revision history for this message
Dave Mellor (davemellor) wrote :

The result on Ubuntu 20.04.1 is 'unconfined'.

Is this bad or to be expected?

I've noticed that Ubuntu 20.04 doesn't seem to handle multiple users well. I have no idea why.

Revision history for this message
martinr (martinr1111) wrote :

Please be aware when configuring app-armor of the Firefox snap, that breaks the guest-account experience in Xubuntu 22.04 LTS with Firefox version: 102.0.1 (64-bit), Mozilla Firefox Snap for Ubuntu canonical-002-1.0.
See Bug #1981881 .

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.