** Description changed:
+ [Impact]
+
+ If you enable the guest session feature on e.g. Ubuntu MATE, you are met
+ by an error message when trying to enter a guest session:
+
+ "Could not update file ICEauthority file /run/user/XXX/ICEauthority"
+
+ Even if it's not always a fatal error (the login may succeed after a few
+ minutes), the user experience is really bad, and you are inclined to
+ conclude that you are completely blocked from using the feature.
+
+ The proposed fix adds a rule to the lightdm-guest-session AppArmor
+ profile and prevents the error from happening.
+
+ [Test Plan]
+
+ On an updated Ubuntu MATE installation:
+
+ * Enable guest session
+
+ sudo sh -c 'printf "[Seat:*]\nallow-guest=true\n"
+ >/etc/lightdm/lightdm.conf.d/50-enable-guest.conf'
+
+ * Install lightdm from {focal,groovy}-proposed
+
+ * Reboot
+
+ You should now be able to enter a guest session without being stopped by
+ the ICEauthority error.
+
+ [Where problems could occur]
+
+ This one-liner is a harmless change.
+
+ The guest session is run in an unconfined mode since Ubuntu 16.10.
+ That's why the feature is disabled by default.
+
+ So if the additional rule would be wrong somehow (which I have no reason
+ to believe), it wouldn't break the AppArmor security layer for the
+ simple reason that it's already broken to begin with.
+
+ [Original description]
+
Hello I ran into trouble to start the lightdm-guest-session in linux
mint (cinnamon).
## How to reproduce:
- - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other
distros but I think others are also affected.
- - enable guest user session
- - try to login as guest user
+ - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other
distros but I think others are also affected.
+ - enable guest user session
+ - try to login as guest user
## Error logs:
### Error Message:
` Could not update file ICEauthority file /run/user/XXX/ICEauthority`
### aa-notify:
- ```
+ ```
Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8125/uid_map
Denied: w
Logfile: /var/log/kern.log
-
+
Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8125/setgroups
Denied: w
Logfile: /var/log/kern.log
-
+
Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8125/gid_map
Denied: w
Logfile: /var/log/kern.log
-
+
Profile: /usr/lib/lightdm/lightdm-guest-session
Operation: open
Name: /proc/8624/fd/
Denied: r
Logfile: /var/log/kern.log
```
### dmesg:
```
[ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED"
operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session"
name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio"
requested_mask="w" denied_mask="w" fsuid=999 ouid=0
[ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED"
operation="open" profile="/usr/lib/lightdm/lightdm-guest-session"
name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r"
denied_mask="r" fsuid=999 #ouid=0
[ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED"
operation="open" profile="/usr/lib/lightdm/lightdm-guest-session"
name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r"
denied_mask="r" fsuid=999 ouid=0
[ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED"
operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session"
name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio"
requested_mask="w" denied_mask="w" fsuid=999 ouid=0
[ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED"
operation="link" profile="/usr/lib/lightdm/lightdm-guest-session"
name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio"
requested_mask="l" denied_mask="l" fsuid=999 ouid=999
target="/run/user/999/ICEauthority-c"
```
## Solutions:
### bad but common work around
- Solutions I found in different forums were to move lightdm-guest-session into
complain mode like this:
+ Solutions I found in different forums were to move lightdm-guest-session into
complain mode like this:
`aa-complain /usr/lib/lightdm/lightdm-guest-session`
### maybe better sollution:
My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`:
```
...
/usr/lib/lightdm/lightdm-guest-session {
...
- owner /run/user/[0-9]*/ICEauthority-? l,`
+ owner /run/user/[0-9]*/ICEauthority-? l,`
...
}
```
I honestly have no clue about apparmor and I'm unsure where to post this but
I hope this maybe helps some other people in the future.
** Changed in: lightdm (Ubuntu Groovy)
Status: Incomplete => In Progress
** Changed in: lightdm (Ubuntu Focal)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1921655
Title:
lightdm-guest-session ICEauthority error
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1921655/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
