[Desktop-packages] [Bug 882862] Re: Guest account can read/write in /media/
precise got a new version now, should be fixed there: lightdm (1.1.1-0ubuntu1) precise; urgency=low * New upstream release: * Support PAM requesting a change of password (lp: #911597) * Support for reading users' backgrounds from Accounts Service (lp: #844081) * Switching to a user without a password bypasses the greeter (lp: #861177) * Move the GTK+ and Qt greeters into their own projects * Drop the gtk and qt greeters packaging files from this source * debian/liblightdm-gobject-1-0.symbols: - list new lightdm_user_get_background symbol * debian/patches/04_CVE-2011-4105.patch, debian/patches/05_CVE-2011-3153.patch, debian/patches/09_show_lang_chooser_option.patch, debian/patches/10_available_languages.patch, debian/patches/11_set_language_in_accountsservice.patch: - dropped, those issues are fixed in the new version or apply to the gtk greeter which is moved to its own source * debian/rules: - install lightdm-set-defaults back to its previous location ** CVE added: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2011-3153 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2011-4105 ** Changed in: lightdm (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/882862 Title: Guest account can read/write in /media/ Status in “lightdm” package in Ubuntu: Fix Released Bug description: The guest account can everything under /media/. Is the guest account really supposed to be able to access and read all the files on the host computer? If yes, then is the guest account really really supposed to be able to write to /media/ ? Shouldn't the guest be limited to his temporary home in /tmp/ ? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/882862/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 882862] Re: Guest account can read/write in /media/
Martin > There might be scenarios where the current behaviour is expected, but > as I said this sounds like a corner case. Yes, there are cases where this behavior is semi-desired. Example, I have a party at my house, and I want my guests to be able to change music and do stuff like check their Facebook. So I login with the guest account, since I don't want my guests to use my account. But in this scenario, I would like the guest account to have read-only access to /media/Music/ so that music can be played from the guest account. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/882862 Title: Guest account can read/write in /media/ Status in “lightdm” package in Ubuntu: Fix Committed Bug description: The guest account can everything under /media/. Is the guest account really supposed to be able to access and read all the files on the host computer? If yes, then is the guest account really really supposed to be able to write to /media/ ? Shouldn't the guest be limited to his temporary home in /tmp/ ? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/882862/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
Re: [Desktop-packages] [Bug 882862] Re: Guest account can read/write in /media/
Fred [2011-11-02 20:23 -]: > Martin, > What do you mean with "This would break desired access..." ? There might be scenarios where the current behaviour is expected, but as I said this sounds like a corner case. > The fix committed, is it a proper solution to the problem, or is it just > a dirty quick fix? It's a proper solution, from my POV. > Shouldn't USB sticks be mounted in /mnt/ as they're probably just > temporarily mounted? No, /media/ is meant for this kind of devices. /mnt is meant for administrators and manual mounting. > > http://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard > /media/ Mount points for removable media such as CD-ROMs > (appeared in FHS-2.3). > /mnt/ Temporarily mounted filesystems. That's right, but as you have your drives in /etc/fstab, Ubuntu obviously should respect that. Manual entries in fstab trump all default policies :) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/882862 Title: Guest account can read/write in /media/ Status in “lightdm” package in Ubuntu: Fix Committed Bug description: The guest account can everything under /media/. Is the guest account really supposed to be able to access and read all the files on the host computer? If yes, then is the guest account really really supposed to be able to write to /media/ ? Shouldn't the guest be limited to his temporary home in /tmp/ ? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/882862/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 882862] Re: Guest account can read/write in /media/
Martin, What do you mean with "This would break desired access..." ? The fix committed, is it a proper solution to the problem, or is it just a dirty quick fix? Shouldn't USB sticks be mounted in /mnt/ as they're probably just temporarily mounted? http://en.wikipedia.org/wiki/Filesystem_Hierarchy_Standard /media/ Mount points for removable media such as CD-ROMs (appeared in FHS-2.3). /mnt/ Temporarily mounted filesystems. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/882862 Title: Guest account can read/write in /media/ Status in “lightdm” package in Ubuntu: Fix Committed Bug description: The guest account can everything under /media/. Is the guest account really supposed to be able to access and read all the files on the host computer? If yes, then is the guest account really really supposed to be able to write to /media/ ? Shouldn't the guest be limited to his temporary home in /tmp/ ? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/882862/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 882862] Re: Guest account can read/write in /media/
** Branch linked: lp:lightdm -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/882862 Title: Guest account can read/write in /media/ Status in “lightdm” package in Ubuntu: Fix Committed Bug description: The guest account can everything under /media/. Is the guest account really supposed to be able to access and read all the files on the host computer? If yes, then is the guest account really really supposed to be able to write to /media/ ? Shouldn't the guest be limited to his temporary home in /tmp/ ? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/882862/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 882862] Re: Guest account can read/write in /media/
Fixed in trunk r1295. ** Changed in: lightdm (Ubuntu) Status: New => Fix Committed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/882862 Title: Guest account can read/write in /media/ Status in “lightdm” package in Ubuntu: Fix Committed Bug description: The guest account can everything under /media/. Is the guest account really supposed to be able to access and read all the files on the host computer? If yes, then is the guest account really really supposed to be able to write to /media/ ? Shouldn't the guest be limited to his temporary home in /tmp/ ? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/882862/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 882862] Re: Guest account can read/write in /media/
Originally we deliberately allowed that so that guest users can use an USB stick to do things like like editing documents there or keeping their firefox config. See the profile: /media/** rmwlixk, # we want access to USB sticks and the like However, this should certainly be limited to the guest user's own devices. We already shield users from each other by mounting VFAT devices with dmask=0077, and ext4 devices have their own ACLs anyway. That of course breaks down if you have custom /etc/fstab rules which allow anyone to write there. I think we can tighten this up with owner /media/** rmwlixk, This would break desired access to e. g. ext4 external hard disks, but that might be a smaller use case. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/882862 Title: Guest account can read/write in /media/ Status in “lightdm” package in Ubuntu: Fix Committed Bug description: The guest account can everything under /media/. Is the guest account really supposed to be able to access and read all the files on the host computer? If yes, then is the guest account really really supposed to be able to write to /media/ ? Shouldn't the guest be limited to his temporary home in /tmp/ ? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/882862/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 882862] Re: Guest account can read/write in /media/
Hey Martin, do you have an opinion on whether that should be blocked or not? ** Changed in: lightdm (Ubuntu) Assignee: (unassigned) => Martin Pitt (pitti) ** Changed in: lightdm (Ubuntu) Status: Incomplete => New ** Changed in: lightdm (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/882862 Title: Guest account can read/write in /media/ Status in “lightdm” package in Ubuntu: New Bug description: The guest account can everything under /media/. Is the guest account really supposed to be able to access and read all the files on the host computer? If yes, then is the guest account really really supposed to be able to write to /media/ ? Shouldn't the guest be limited to his temporary home in /tmp/ ? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/882862/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 882862] Re: Guest account can read/write in /media/
No, if the guest plugs in his or her own USB flash memory then it should be readable and writeable by the guest. The problem is that the guest can read, write and erase the data on the system if the disk partitions are mounted. Disk partitions gets mounted in subdirectories of /media, and they're both readable and writeable by the guest. Exempt from /etc/fstab /dev/sdb1 /media/Windows ntfs-3g quiet,defaults,locale=en_US.utf8,umask=0 0 0 /dev/sdb5 /media/Musicntfs-3g quiet,defaults,locale=en_US.utf8,umask=0 0 0 /dev/sdb6 /media/Moviesntfs-3g quiet,defaults,locale=en_US.utf8,umask=00 0 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/882862 Title: Guest account can read/write in /media/ Status in “lightdm” package in Ubuntu: Incomplete Bug description: The guest account can everything under /media/. Is the guest account really supposed to be able to access and read all the files on the host computer? If yes, then is the guest account really really supposed to be able to write to /media/ ? Shouldn't the guest be limited to his temporary home in /tmp/ ? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/882862/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 882862] Re: Guest account can read/write in /media/
Hi Fred - Thanks for taking the time to file this bug report. If your concern is only about the /media directory, the guest user should be able to read and search that directory. The guest account should not be able to write to that directory. I've verified that to be the case on several freshly installed Oneiric systems. However, I suspect your concern is about the guest account being able to read and write to USB storage devices that are mounted inside the /media directory (/media/2DC0-D277/, for example). Is this correct? ** Package changed: ubuntu => lightdm (Ubuntu) ** Changed in: lightdm (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/882862 Title: Guest account can read/write in /media/ Status in “lightdm” package in Ubuntu: Incomplete Bug description: The guest account can everything under /media/. Is the guest account really supposed to be able to access and read all the files on the host computer? If yes, then is the guest account really really supposed to be able to write to /media/ ? Shouldn't the guest be limited to his temporary home in /tmp/ ? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/882862/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp