Added a 11.10 milestone since I don't know when this is planning on
getting fixed, but we definitely don't want to release with this (as I'm
sure we all agree :).
** Changed in: lightdm (Ubuntu Oneiric)
Status: New => Triaged
** Changed in: lightdm (Ubuntu Oneiric)
Milestone: None => ubuntu-11.10
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/834079
Title:
files written as root to user-controlled folders
Status in Light Display Manager:
Triaged
Status in “lightdm” package in Ubuntu:
Triaged
Status in “lightdm” source package in Oneiric:
Triaged
Status in “lightdm” package in Debian:
Confirmed
Bug description:
Hey,
as you were on CC: I guess you're already aware, but reporting so it
can be tracked upstream.
Short version: http://seclists.org/oss-sec/2011/q3/393
Long version: .dmrc and Xauthority files are written by lightdm
running as root while they're in user controlled folders. An user can,
via a symlink, overwrite root-owned files. It doesn't look like it can
achieve easily privilege-escalation (since the content is quite fixed)
but it's still bad.
Basically the correct fix seems to have workers process which would
setuid() to the user before writing content to those files.
There's no CVE affected yet.
To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/834079/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
