** Tags added: patch -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/927060
Title: lightdm leaks FDs to child processes Status in Light Display Manager: Fix Released Status in “lightdm” package in Ubuntu: In Progress Status in “lightdm” source package in Oneiric: In Progress Status in “lightdm” source package in Precise: In Progress Status in “lightdm” package in Debian: Confirmed Bug description: affects lightdm affects debian security yes summary "lightdm leaks FDs to child processes" done tag 658678 security thanks On dim., 2012-02-05 at 00:27 -0500, Austin Clements wrote: > Package: lightdm > Version: 1.0.6-3 > Severity: normal > > Dear Maintainer, > > lightdm appears to leak several file descriptors to the child process > it creates for the session, which propagate to nearly every process > running in an interactive session. > > For example, running ls -l /proc/self/fd from a terminal in X yields > > lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 0 -> /dev/pts/15 > lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 1 -> /dev/pts/15 > lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 13 -> pipe:[10098] > l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 14 -> pipe:[10098] > lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 15 -> pipe:[10099] > l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 16 -> pipe:[10099] > lrwx------ 1 amdragon amdragon 64 Feb 4 23:52 2 -> /dev/pts/15 > lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 3 -> /proc/27874/fd/ > lr-x------ 1 amdragon amdragon 64 Feb 4 23:52 4 -> pipe:[9306] > l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 5 -> pipe:[9306] > l-wx------ 1 amdragon amdragon 64 Feb 4 23:52 6 > -> /var/log/lightdm/lightdm.log > > FDs 4 through 16 were inherited from the lightdm process, as can be > seen from its open FDs, > > $ sudo ls -l /proc/`pidof lightdm`/fd > total 0 > lrwx------ 1 root root 64 Feb 4 23:54 0 -> /dev/null > lrwx------ 1 root root 64 Feb 4 23:54 1 -> /dev/null > lr-x------ 1 root root 64 Feb 4 23:54 10 -> pipe:[9315] > l-wx------ 1 root root 64 Feb 4 23:54 11 -> pipe:[9315] > lrwx------ 1 root root 64 Feb 4 23:54 12 -> socket:[10302] > lr-x------ 1 root root 64 Feb 4 23:54 13 -> pipe:[10098] > l-wx------ 1 root root 64 Feb 4 23:54 14 -> pipe:[10098] > lr-x------ 1 root root 64 Feb 4 23:54 15 -> pipe:[10099] > l-wx------ 1 root root 64 Feb 4 23:54 16 -> pipe:[10099] > lrwx------ 1 root root 64 Feb 4 23:54 17 -> socket:[10101] > lrwx------ 1 root root 64 Feb 4 23:54 2 -> /dev/null > lrwx------ 1 root root 64 Feb 4 23:54 3 -> anon_inode:[eventfd] > lr-x------ 1 root root 64 Feb 4 23:54 4 -> pipe:[9306] > l-wx------ 1 root root 64 Feb 4 23:54 5 -> pipe:[9306] > l-wx------ 1 root root 64 Feb 4 23:54 6 > -> /var/log/lightdm/lightdm.log > lrwx------ 1 root root 64 Feb 4 23:54 7 -> anon_inode:[eventfd] > lrwx------ 1 root root 64 Feb 4 23:54 8 -> socket:[8076] > lrwx------ 1 root root 64 Feb 4 23:54 9 -> anon_inode:[eventfd] > > FD 6 is particularly worrisome, as it allows any process to write to > the root-owned lightdm log. > > It might be relevant that I use an .xsession script and Xmonad with no > desktop environment. Yep, you seem to be right. I don't inherit them in all my processes, but indeed xfce4-session has them. Forwarding to upstream and tagging security. I'm not completely sure what are the security impact right now as I don't exactly know what the relevant “shared” fd except the lightdm.log. There's one where the pipe is opened by Xorg too but that might be normal. Regards, -- Yves-Alexis To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/927060/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp