[Touch-packages] [Bug 1742912] Re: Please confine guest sessions again
Please be aware when configuring app-armor of the Firefox snap, that breaks the guest-account experience in Xubuntu 22.04 LTS with Firefox version: 102.0.1 (64-bit), Mozilla Firefox Snap for Ubuntu canonical-002-1.0. See Bug #1981881 . -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1742912 Title: Please confine guest sessions again Status in lightdm package in Ubuntu: Confirmed Bug description: This is a continuation of LP: #1663157 where as a workaround for the guest session not being confined the session got disabled. This bug tracks the fix for proper confinement. Original bug report text: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1742912/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1742912] Re: Please confine guest sessions again
The result on Ubuntu 20.04.1 is 'unconfined'. Is this bad or to be expected? I've noticed that Ubuntu 20.04 doesn't seem to handle multiple users well. I have no idea why. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1742912 Title: Please confine guest sessions again Status in lightdm package in Ubuntu: Confirmed Bug description: This is a continuation of LP: #1663157 where as a workaround for the guest session not being confined the session got disabled. This bug tracks the fix for proper confinement. Original bug report text: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1742912/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1742912] Re: Please confine guest sessions again
I installed gnome-terminal and got 'unconfined'. So I could view the home directory of another user, but if the directories had no permissions for Other group, I could not view the contents in guest session. So I think a better solution than disabling guest sessions is to make proper default permissions for directories under /home directory. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1742912 Title: Please confine guest sessions again Status in lightdm package in Ubuntu: Confirmed Bug description: This is a continuation of LP: #1663157 where as a workaround for the guest session not being confined the session got disabled. This bug tracks the fix for proper confinement. Original bug report text: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1742912/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1742912] Re: Please confine guest sessions again
I tested this on Xubuntu 18.04.3, and xfce4-terminal gives the expected output (like xterm as well). I do not see how this should depend on the terminal application used. I guess it is pretty safe to use guest session in Xubuntu. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1742912 Title: Please confine guest sessions again Status in lightdm package in Ubuntu: Confirmed Bug description: This is a continuation of LP: #1663157 where as a workaround for the guest session not being confined the session got disabled. This bug tracks the fix for proper confinement. Original bug report text: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1742912/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1742912] Re: Please confine guest sessions again
** Tags added: id-5a57962350afc7d4aa391919 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1742912 Title: Please confine guest sessions again Status in lightdm package in Ubuntu: Confirmed Bug description: This is a continuation of LP: #1663157 where as a workaround for the guest session not being confined the session got disabled. This bug tracks the fix for proper confinement. Original bug report text: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1742912/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1742912] Re: Please confine guest sessions again
I figured out why the simple test didn't work - when I first installed Ubuntu 18.04, gnome-terminal wouldn't accept any keyboard input, I assumed it was just a pre-alpha bug and installed terminator. Installing terminator switched itself to the default including launching with ctrl-alt-t , and terminator does get apparmor restricted.When I paste in "cat /proc/self/attr/current" into a gnome-terminal it shows unconfined. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1742912 Title: Please confine guest sessions again Status in lightdm package in Ubuntu: Confirmed Bug description: This is a continuation of LP: #1663157 where as a workaround for the guest session not being confined the session got disabled. This bug tracks the fix for proper confinement. Original bug report text: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1742912/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1742912] Re: Please confine guest sessions again
Please note that the simple test ( cat /proc/self/attr/current ) can be misleading. I tried that in Ubuntu 18.04 ( switched to lightdm ) and got "(enforce)" but some applications like the file manager could browse other user's home directories. Most applications including firefox and libreoffice are restricted. In Xubuntu the file manager is restricted as well as every other application I tried. Is it possible to just eliminate certain applications or prevent launching applications in specific ways to guarantee a restricted guest sessions? -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1742912 Title: Please confine guest sessions again Status in lightdm package in Ubuntu: Confirmed Bug description: This is a continuation of LP: #1663157 where as a workaround for the guest session not being confined the session got disabled. This bug tracks the fix for proper confinement. Original bug report text: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1742912/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1742912] Re: Please confine guest sessions again
I just posted this: https://community.ubuntu.com/t/brain-dump-on-guest-session- progress/3717/2 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1742912 Title: Please confine guest sessions again Status in lightdm package in Ubuntu: Confirmed Bug description: This is a continuation of LP: #1663157 where as a workaround for the guest session not being confined the session got disabled. This bug tracks the fix for proper confinement. Original bug report text: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1742912/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1742912] Re: Please confine guest sessions again
** Changed in: lightdm (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1742912 Title: Please confine guest sessions again Status in lightdm package in Ubuntu: Confirmed Bug description: This is a continuation of LP: #1663157 where as a workaround for the guest session not being confined the session got disabled. This bug tracks the fix for proper confinement. Original bug report text: Processes launched under a lightdm guest session are not confined by the /usr/lib/lightdm/lightdm-guest-session AppArmor profile in Ubuntu 16.10, Ubuntu 17.04, and Ubuntu Artful (current dev release). The processes are unconfined. The simple test case is to log into a guest session, launch a terminal with ctrl-alt-t, and run the following command: $ cat /proc/self/attr/current Expected output, as seen in Ubuntu 16.04 LTS, is: /usr/lib/lightdm/lightdm-guest-session (enforce) Running the command inside of an Ubuntu 16.10 and newer guest session results in: unconfined To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1742912/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp