touch-packages team mailing list archive

Thread
Date

[Bug 1392380] Re: OA gives out all tokens to any app

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Alberto Mardegan <1392380@xxxxxxxxxxxxxxxxxx>
Date: Fri, 14 Nov 2014 17:25:08 -0000
Reply-to: Bug 1392380 <1392380@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Just to add some more information in order to have a more clear idea of
the seriousness of this bug: accounts which are created when the signon-
apparmor-extension is installed will work fine: apps won't be able to
abuse them.

This bug only affects the accounts which were created when the extension
was not installed: even if the extension gets installed later on, the
ACL checks will be bypassed and any app can get access to any account.

Fixing this bug will make all accounts (regardless of when they were
created) be protected by the ACL once the signon-apparmor-extension is
installed.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to signon in Ubuntu.
https://bugs.launchpad.net/bugs/1392380

Title:
  OA gives out all tokens to any app

Status in “signon” package in Ubuntu:
  Confirmed

Bug description:
  The attached app will steal all your tokens. All it takes is the
  "accounts" permission in the apparmor file.

  Here's the code: https://pastebin.canonical.com/120398/

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/signon/+bug/1392380/+subscriptions