It's difficult to audit things when they are only partially implemented, or in this case, partially working in the archive. All this with little documentation. On top of that I was fiddling with an account on uccs.landscape.canonical.com and now it only returns 503. If people would like a meaningful review, high-level design documents and documentation on how to set things up should be provided. I was able to muddle my way through some low-level stuff to test UCCS, so I won't block on this anymore, so here is my cursory high-level review:
* remote-login-service/remote-login-service should be compiled with PIE and all hardening options * lintian clean, no initscripts/upstart jobs, dbus system services, setuid, fscaps, sudo usage or privileged command usage (sudo,su,pkexec) log file has some failures: ** (/PKGBUILDDIR/tests/server-test:4005): CRITICAL **: citrix_server_new_from_keyfile: assertion `keyfile != NULL' failed ** (/PKGBUILDDIR/tests/server-test:4005): CRITICAL **: citrix_server_new_from_keyfile: assertion `name != NULL' failed ** (/PKGBUILDDIR/tests/server-test:4005): CRITICAL **: rdp_server_new_from_keyfile: assertion `keyfile != NULL' failed ** (/PKGBUILDDIR/tests/server-test:4005): CRITICAL **: rdp_server_new_from_keyfile: assertion `name != NULL' failed ** (/PKGBUILDDIR/tests/server-test:4005): CRITICAL **: uccs_server_new_from_keyfile: assertion `keyfile != NULL' failed ** (/PKGBUILDDIR/tests/server-test:4005): CRITICAL **: uccs_server_new_from_keyfile: assertion `name != NULL' failed ** (remote-login-service:4024): ERROR **: Unable to get name 'com.canonical.RemoteLogin' ** (remote-login-service:4060): ERROR **: Unable to get name 'com.canonical.RemoteLogin' ** (remote-login-service:4075): ERROR **: Unable to get name 'com.canonical.RemoteLogin' ** (remote-login-service:4149): ERROR **: Unable to get name 'com.canonical.RemoteLogin' ** (remote-login-service:4164): ERROR **: Unable to get name 'com.canonical.RemoteLogin' These happen in tests that show they are passing, which is a bit confusing. * high-level code inspection seems fine There is a dbus session service which holds the list of servers. It is pretty careful about locking/unlocking so you have to provide a credential to see anything. I tried launching this under my own user (as opposed to lightdm) and was able to call methods, etc, but it doesn't appear that I could expose information from another user. That said, I didn't have a working setup so I couldn't poke at this very hard. For UCCS, it does make connections the network via a separate program, 'thin-client-config-agent' and all I could find suggests this will be over https (good). I verify via packet analysis that only https is being used with UCCS/thin-client-config-agent. This is good, but the secure connection is only as good as the Exec line in /etc/remote-login- service.conf. Trying to use GetServersForLogin: ** (remote-login-service:8847): WARNING **: Unable to start UCCS process: Failed to execute child process "thin-client-config-agent" (No such file or directory) I had to add to /etc/remote-login-service.conf: [Remote Login Service] UCCSServers=Canonical [UCCS Server Canonical] Name=Remote Login URI=https://uccs.landscape.canonical.com/ Exec=/usr/bin/thin-client-config-agent After this I communicated with the DBus interface using d-feet and was pleased to see authentication/locking appearing to work: p11-kit: duplicate configured module: gnome-keyring.module: /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so Certificate verification failed ** (remote-login-service:9409): WARNING **: Address ':1.1' is not authorized Performing a MITM on remote-login-service, I saw that it is verifying certificates: p11-kit: duplicate configured module: gnome-keyring.module: /usr/lib/x86_64-linux-gnu/pkcs11/gnome-keyring-pkcs11.so Certificate verification failed ** (remote-login-service:9409): WARNING **: Address ':1.1' is not authorized While the code is very new it is written by Canonical so I don't have any concerns on its maintenance. ACK. ** Changed in: remote-login-service (Ubuntu) Status: New => Fix Committed ** Changed in: remote-login-service (Ubuntu) Assignee: Jamie Strandboge (jdstrand) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1037296 Title: [MIR] remote-login-service To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/remote-login-service/+bug/1037296/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
