I reviewed user-session-migration 0.5.0 as checked into questing. This
shouldn't be
considered a full audit but rather a quick gauge of maintainability.
user-session-migration is a package intended to replace the now un-maintained
session-migration package.
Overall, this is a small and relatively simple package. It installs a systemd
user service that runs the user-session-migration binary on user session
startup. user-session-migration runs a list of arbitrary migration scripts
installed by other packages. These scripts should be idempotent and are
intended to provide a way for packages to manipulate user-specific config files
and directories as required for new versions. It implements per-user caching to
attempt to avoid running scripts multiple times. The package also provides a
debhelper command that can be used by other packages to simplify installing
their migration scripts.
- CVE History
- None found for either the original session-migration or the new
user-session-migration.
- Build-Depends
- All expected for the functionality
- Notably includes systemd-dev
- pre/post inst/rm scripts
- Yes, to enable the systemd user service, autogenerated by
dh_installsystemduser .
- init scripts
- None
- systemd units
- This package includes the 'user-session-migration.service' systemd user
unit that is at the core of the package's functionality.
- This service runs the user-session-migration binary during user session
creation before graphical session set up.
- As it is a user unit, migration scripts are run under the constraints of
the user's permissions.
- dbus services
- None
- setuid binaries
- None
- binaries in PATH
- usr/bin/user-session-migration
- sudo fragments
- None
- polkit files
- None
- udev rules
- None
- unit tests / autopkgtests
- Autopkgtests added in version 0.5.1
- Small but seemingly spanning test suite, run during the build process, all
passing
- Could benefit from a slightly more robust test suite, but this is not a
problem for maintainability given the simplicity of the package itself.
- cron jobs
- None
- Build logs
- Builds successfully, no errors or significant warnings present.
- Nothing unexpected in the build logs
- Processes spawned
- Runs each migration script with g_spawn_command_line_sync and checks for
completion/errors.
- No user-supplied input is involved
- Scripts run are located in one of the
$XDG_DATA_DIRS/user-session-migration/scripts directories
- Even though there is a caching mechanic, scripts should be idempotent, but
there is nothing enforcing this
- Memory management
- Defensively written, uses glib types and macros to simplify the memory
management.
- File IO
- Writes to and reads from a user-specific file tracking what migration
scripts have been run for the user, keeping state for the caching functionality
- see the environment variables section below for how the file path/name
are determined
- Uses glib functions for safe file IO
- Logging
- Utilizes g_printerr often
- Additionally supports a '--verbose' arguement that provides detailed
logging of the migration process
- Environment variable usage
- Uses XDG_DATA_HOME, if set, to determine the location of the user-specific
migration-tracking file
- Uses DESKTOP_SESSION, or XDG_CURRENT_DESKTOP if DESKTOP_SESSION not set, to
determine the name of the user-specific migration-tracking file
- Searches through the directories in XDG_DATA_DIRS to find migration scripts
to run
- Use of privileged functions
- None
- Use of cryptography / random number sources etc
- None
- Use of temp files
- None
- Use of networking
- None
- Use of WebKit
- None
- Use of PolicyKit
- None
- Any significant cppcheck results
- None
- Any significant Coverity results
- None
- Any significant shellcheck results
- None
- Any significant bandit results
- None
- Any significant govulncheck results
- None
- Any significant Semgrep results
- None
The migration scripts are run through a user service, so should be
unable to perform privileged operations. However, there is nothing to
enforce idempotency in the scripts or to prevent other non-privileged
potentially malicious behaviour. As scripts installed into any of the
possible $XDG_DATA_DIRS/user-session-migration/scripts directories are
inherently trusted by user-session-migration, the user is as safe as the
packages they install are. Additionally, there is no verification of the
values within $XDG_DATA_DIRS, so if the user has modified the variable,
any user-owned script in a correctly-named directory could be executed.
Potential vulnerabilities in this context come from installing other
malicious packages with harmful migration scripts. As this has been the
trust model for the historical session-migration package, this can all
be considered a known-risk.
Security team ACK for promoting user-session-migration to main.
** Changed in: user-session-migration (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
** Changed in: user-session-migration (Ubuntu)
Status: Incomplete => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2121566
Title:
[MIR] user-session-migration
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/user-session-migration/+bug/2121566/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
