This bug was fixed in the package lightdm - 1.1.6-0ubuntu1
---------------
lightdm (1.1.6-0ubuntu1) precise; urgency=low
* Upload the new version to Ubuntu
* Reshuffle a bit the vcs to use merge upstream correctly
[ Robert Ancell ]
* New upstream release:
- Fix session wrapper working the same as it did in 1.1.3 (lp: #944736)
- Stop file descriptors leaking into the session processes (lp: #927060)
[ Martin Pitt ]
* debian/control: Fix liblightdm-gobject-1-doc architecture to "all".
-- Sebastien Bacher <[email protected]> Tue, 06 Mar 2012 13:45:29 +0100
** Changed in: lightdm (Ubuntu Precise)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/927060
Title:
lightdm leaks FDs to child processes
Status in Light Display Manager:
Fix Released
Status in “lightdm” package in Ubuntu:
Fix Released
Status in “lightdm” source package in Oneiric:
Fix Released
Status in “lightdm” source package in Precise:
Fix Released
Status in “lightdm” package in Debian:
Confirmed
Bug description:
affects lightdm
affects debian
security yes
summary "lightdm leaks FDs to child processes"
done
tag 658678 security
thanks
On dim., 2012-02-05 at 00:27 -0500, Austin Clements wrote:
> Package: lightdm
> Version: 1.0.6-3
> Severity: normal
>
> Dear Maintainer,
>
> lightdm appears to leak several file descriptors to the child process
> it creates for the session, which propagate to nearly every process
> running in an interactive session.
>
> For example, running ls -l /proc/self/fd from a terminal in X yields
>
> lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 0 -> /dev/pts/15
> lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 1 -> /dev/pts/15
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 13 -> pipe:[10098]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 14 -> pipe:[10098]
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 15 -> pipe:[10099]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 16 -> pipe:[10099]
> lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 2 -> /dev/pts/15
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 3 -> /proc/27874/fd/
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 4 -> pipe:[9306]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 5 -> pipe:[9306]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 6
> -> /var/log/lightdm/lightdm.log
>
> FDs 4 through 16 were inherited from the lightdm process, as can be
> seen from its open FDs,
>
> $ sudo ls -l /proc/`pidof lightdm`/fd
> total 0
> lrwx------ 1 root root 64 Feb 4 23:54 0 -> /dev/null
> lrwx------ 1 root root 64 Feb 4 23:54 1 -> /dev/null
> lr-x------ 1 root root 64 Feb 4 23:54 10 -> pipe:[9315]
> l-wx------ 1 root root 64 Feb 4 23:54 11 -> pipe:[9315]
> lrwx------ 1 root root 64 Feb 4 23:54 12 -> socket:[10302]
> lr-x------ 1 root root 64 Feb 4 23:54 13 -> pipe:[10098]
> l-wx------ 1 root root 64 Feb 4 23:54 14 -> pipe:[10098]
> lr-x------ 1 root root 64 Feb 4 23:54 15 -> pipe:[10099]
> l-wx------ 1 root root 64 Feb 4 23:54 16 -> pipe:[10099]
> lrwx------ 1 root root 64 Feb 4 23:54 17 -> socket:[10101]
> lrwx------ 1 root root 64 Feb 4 23:54 2 -> /dev/null
> lrwx------ 1 root root 64 Feb 4 23:54 3 -> anon_inode:[eventfd]
> lr-x------ 1 root root 64 Feb 4 23:54 4 -> pipe:[9306]
> l-wx------ 1 root root 64 Feb 4 23:54 5 -> pipe:[9306]
> l-wx------ 1 root root 64 Feb 4 23:54 6
> -> /var/log/lightdm/lightdm.log
> lrwx------ 1 root root 64 Feb 4 23:54 7 -> anon_inode:[eventfd]
> lrwx------ 1 root root 64 Feb 4 23:54 8 -> socket:[8076]
> lrwx------ 1 root root 64 Feb 4 23:54 9 -> anon_inode:[eventfd]
>
> FD 6 is particularly worrisome, as it allows any process to write to
> the root-owned lightdm log.
>
> It might be relevant that I use an .xsession script and Xmonad with no
> desktop environment.
Yep, you seem to be right. I don't inherit them in all my processes, but
indeed xfce4-session has them. Forwarding to upstream and tagging
security.
I'm not completely sure what are the security impact right now as I
don't exactly know what the relevant “shared” fd except the lightdm.log.
There's one where the pipe is opened by Xorg too but that might be
normal.
Regards,
--
Yves-Alexis
To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/927060/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
