desktop-packages team mailing list archive

Thread
Date

[Bug 834079] Re: files written as root to user-controlled folders

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Martin Pitt <martin.pitt@xxxxxxxxxx>
Date: Tue, 13 Sep 2011 11:00:19 -0000
Reply-to: Bug 834079 <834079@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I can replicate the bug with creating a root owned /rootfile and ln -s
/rootfile ~/.Xauthority. lightdm changes /rootfile then.

Writing ~/.dmrc uses g_file_set_contents() which is safe against symlink
attacks. However, it's still more robust to drop privileges instead of
chown()ing.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/834079

Title:
  files written as root to user-controlled folders

Status in Light Display Manager:
  Triaged
Status in “lightdm” package in Ubuntu:
  In Progress
Status in “lightdm” source package in Oneiric:
  In Progress
Status in “lightdm” package in Debian:
  Confirmed

Bug description:
  Hey,

  as you were on CC: I guess you're already aware, but reporting so it
  can be tracked upstream.

  Short version: http://seclists.org/oss-sec/2011/q3/393

  Long version: .dmrc and Xauthority files are written by lightdm
  running as root while they're in user controlled folders. An user can,
  via a symlink, overwrite root-owned files. It doesn't look like it can
  achieve easily privilege-escalation (since the content is quite fixed)
  but it's still bad.

  Basically the correct fix seems to have workers process which would
  setuid() to the user before writing content to those files.

  CVE-2011-3349

To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/834079/+subscriptions