lightdm leaks FDs to child processes
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Light Display Manager |
Fix Released
|
High
|
Robert Ancell | ||
lightdm (Debian) |
Fix Released
|
Unknown
|
|||
lightdm (Ubuntu) |
Fix Released
|
High
|
Robert Ancell | ||
Oneiric |
Fix Released
|
High
|
Marc Deslauriers | ||
Precise |
Fix Released
|
High
|
Robert Ancell |
Bug Description
affects lightdm
affects debian
security yes
summary "lightdm leaks FDs to child processes"
done
tag 658678 security
thanks
On dim., 2012-02-05 at 00:27 -0500, Austin Clements wrote:
> Package: lightdm
> Version: 1.0.6-3
> Severity: normal
>
> Dear Maintainer,
>
> lightdm appears to leak several file descriptors to the child process
> it creates for the session, which propagate to nearly every process
> running in an interactive session.
>
> For example, running ls -l /proc/self/fd from a terminal in X yields
>
> lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 0 -> /dev/pts/15
> lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 1 -> /dev/pts/15
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 13 -> pipe:[10098]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 14 -> pipe:[10098]
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 15 -> pipe:[10099]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 16 -> pipe:[10099]
> lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 2 -> /dev/pts/15
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 3 -> /proc/27874/fd/
> lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 4 -> pipe:[9306]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 5 -> pipe:[9306]
> l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 6
> -> /var/log/
>
> FDs 4 through 16 were inherited from the lightdm process, as can be
> seen from its open FDs,
>
> $ sudo ls -l /proc/`pidof lightdm`/fd
> total 0
> lrwx------ 1 root root 64 Feb 4 23:54 0 -> /dev/null
> lrwx------ 1 root root 64 Feb 4 23:54 1 -> /dev/null
> lr-x------ 1 root root 64 Feb 4 23:54 10 -> pipe:[9315]
> l-wx------ 1 root root 64 Feb 4 23:54 11 -> pipe:[9315]
> lrwx------ 1 root root 64 Feb 4 23:54 12 -> socket:[10302]
> lr-x------ 1 root root 64 Feb 4 23:54 13 -> pipe:[10098]
> l-wx------ 1 root root 64 Feb 4 23:54 14 -> pipe:[10098]
> lr-x------ 1 root root 64 Feb 4 23:54 15 -> pipe:[10099]
> l-wx------ 1 root root 64 Feb 4 23:54 16 -> pipe:[10099]
> lrwx------ 1 root root 64 Feb 4 23:54 17 -> socket:[10101]
> lrwx------ 1 root root 64 Feb 4 23:54 2 -> /dev/null
> lrwx------ 1 root root 64 Feb 4 23:54 3 -> anon_inode:
> lr-x------ 1 root root 64 Feb 4 23:54 4 -> pipe:[9306]
> l-wx------ 1 root root 64 Feb 4 23:54 5 -> pipe:[9306]
> l-wx------ 1 root root 64 Feb 4 23:54 6
> -> /var/log/
> lrwx------ 1 root root 64 Feb 4 23:54 7 -> anon_inode:
> lrwx------ 1 root root 64 Feb 4 23:54 8 -> socket:[8076]
> lrwx------ 1 root root 64 Feb 4 23:54 9 -> anon_inode:
>
> FD 6 is particularly worrisome, as it allows any process to write to
> the root-owned lightdm log.
>
> It might be relevant that I use an .xsession script and Xmonad with no
> desktop environment.
Yep, you seem to be right. I don't inherit them in all my processes, but
indeed xfce4-session has them. Forwarding to upstream and tagging
security.
I'm not completely sure what are the security impact right now as I
don't exactly know what the relevant “shared” fd except the lightdm.log.
There's one where the pipe is opened by Xorg too but that might be
normal.
Regards,
--
Yves-Alexis
affects: | debian → lightdm (Debian) |
Changed in lightdm (Debian): | |
importance: | Undecided → Unknown |
status: | New → Unknown |
Changed in lightdm: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in lightdm (Debian): | |
status: | Unknown → Confirmed |
Changed in lightdm: | |
assignee: | nobody → Robert Ancell (robert-ancell) |
status: | Triaged → In Progress |
Changed in lightdm (Ubuntu): | |
status: | New → In Progress |
importance: | Undecided → High |
Changed in lightdm (Ubuntu Precise): | |
assignee: | nobody → Robert Ancell (robert-ancell) |
Changed in lightdm (Ubuntu Oneiric): | |
assignee: | nobody → Marc Deslauriers (mdeslaur) |
status: | New → In Progress |
importance: | Undecided → High |
Changed in lightdm: | |
status: | In Progress → Fix Released |
tags: | added: patch |
Changed in lightdm (Debian): | |
status: | Confirmed → Fix Released |
Any news on this?