Re: [Bug 1767618] Re: system Brightness & Lock app ignores file permissions
Seth, thanks for the explanation. You learn something every day. I've been hacking away for almost 40 years now, and I hadn't considered how unlink() could be used to bypass access permissions. You had me ROTFL with your thoughts on apprenticeships in information security. :-) Steve Steve Gooberman-Hill Skype: steve.gooberman.hill On 3 May 2018 at 00:22, Seth Arnold <1767...@bugs.launchpad.net> wrote: > On Wed, May 02, 2018 at 07:07:51AM -0000, steve gooberman-hill wrote: > > I'm agreed that this is the way the system permissions work. But, did you > > see the comment I added to the bug report? > > Hi Steve, indeed I did. > > > Further investigation shows that file ownership is also ignored > > If I change the ownership and permissions of the file, then they are > > ignored by the Brightness & Lock app > > > > eve@steve-laptop:~$ ls -l ~/.config/dconf/user > > -rw-r--r-- 1 steve eve 15965 Apr 28 10:37 /home/eve/.config/dconf/user > > > > ==> Alter lock settings using "Brightness & Lock" app > > > > eve@steve-laptop:~$ ls -l ~/.config/dconf/user > > -rw-rw-r-- 1 eve eve 15965 Apr 28 11:13 /home/eve/.config/dconf/user > > > > > > Eve is no longer the file owner, but is in the group (and she is not in > the > > sudo group), so I don't believe that any process she is running should be > > able to change the file permissions and ownership. So I am guessing that > > the screen locking process is either not run by the user, or it is > running > > with elevated privileges, which enable it to overwrite the file with a > > different privilege set. > > Eve owns the directory /home/eve/.config/dconf/. Thus a process running > as Eve can unlink() any file in this directory regardless of who owns > the file or what permissions are on the file. Then it creates a new > file with any contents -- as you've seen here. > > > However, I am not convinced that the existing behaviour is desirable - > > because the screen locking process appears not to check the file > > permissions and ownership, and uses it's elevated privilege status to > > overwrite them. > > The screen locking mechanism does not have elevated privileges. It just > runs as her. The assumption is she's the one who wants to protect her > session when she walks away momentarily. > > > PS. FWIW Eve is thankfully not interested in Unix system hacking. Social > > engineering on her parents seems a better way to get increased access to > > funny cat videos :-) > > Such a pity, I've heard there's a world-wide shortfall of roughly a > million information security professionals. Practicing how to bypass > access controls on childhood computers is a time-honoured traditional > education for the field. > > Of course social engineering is also a useful skill. :) > > Thanks Steve > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1767618 > > Title: > system Brightness & Lock app ignores file permissions > > Status in gnome-screensaver package in Ubuntu: > Won't Fix > > Bug description: > The "Brightness & Lock" app in "System Settings" is ignoring file > permissions. > > As a sudoo group user, I wish to restrict another user's ability to > change their user settings (particularly the screen lock settings), so > they can't switch the lock off > > (I want to restrict my daughter's access to the laptop, so I control > the password to her account - but she has worked out that she can turn > the screen lock off) > > Using sudo privileges I can change the file permissions on her > dconf/user settings > > steve@steve-laptop:/home/eve$ sudo chmod ug-w ~eve/.config/dconf/user > steve@steve-laptop:/home/eve$ sudo ls -l ~eve/.config/dconf/user > -r--r--r-- 1 eve eve 15965 Apr 28 10:34 /home/eve/.config/dconf/user > > If I then switch to her account, and use the system settings > "Brighness & Lock" app to switch the lock off. I then check the file > permissions on her dconf/user account, and find > > eve@steve-laptop:/home/eve$ sudo ls -l ~eve/.config/dconf/user > -rw-rw-r-- 1 eve eve 15965 Apr 28 10:37 /home/eve/.config/dconf/user > > I don't believe that any user should have permission to overwrite this > file if it has read-only permissions > > ProblemType: Bug > DistroRelease: Ubuntu 16.04 > Package: gnome-screensaver 3.6.1-7ubuntu4 > ProcVersionSignature: Ubuntu 4.4.0-119.143-generic 4.4.114 > Uname: Linux 4.4.0-119-generic x86_64 &
Re: [Bug 1767618] Re: system Brightness & Lock app ignores file permissions
Hi Seth, thanks for your mail. I'm agreed that this is the way the system permissions work. But, did you see the comment I added to the bug report? Further investigation shows that file ownership is also ignored If I change the ownership and permissions of the file, then they are ignored by the Brightness & Lock app eve@steve-laptop:~$ ls -l ~/.config/dconf/user -rw-r--r-- 1 steve eve 15965 Apr 28 10:37 /home/eve/.config/dconf/user ==> Alter lock settings using "Brightness & Lock" app eve@steve-laptop:~$ ls -l ~/.config/dconf/user -rw-rw-r-- 1 eve eve 15965 Apr 28 11:13 /home/eve/.config/dconf/user Eve is no longer the file owner, but is in the group (and she is not in the sudo group), so I don't believe that any process she is running should be able to change the file permissions and ownership. So I am guessing that the screen locking process is either not run by the user, or it is running with elevated privileges, which enable it to overwrite the file with a different privilege set. I understand that the setup that I am looking to configure may not be in the design spec - and there may be better ways to achieve it, but I don't think that it is that uncommon (for example, on my work (Windows 10) laptop, the screen locking settings are all configured by Group IT and are locked, so mere mortals cannot change them. However, I am not convinced that the existing behaviour is desirable - because the screen locking process appears not to check the file permissions and ownership, and uses it's elevated privilege status to overwrite them. All the best, Steve PS. FWIW Eve is thankfully not interested in Unix system hacking. Social engineering on her parents seems a better way to get increased access to funny cat videos :-) Steve Gooberman-Hill Skype: steve.gooberman.hill On 1 May 2018 at 03:35, Seth Arnold <1767...@bugs.launchpad.net> wrote: > This is the way Unix discretionary access controls work. So long as the > files are in Eve's home directory, and she retains ownership of her home > directory, she will be able to rename the ~/.config/ directory and > continue on as she wishes. > > Furthermore, the screen locking is handled by a process that runs as her > user account in her user session. She could simply attach a debugger to > it and lock it solid. Or she could write a little program to keep the > X11 session 'active' and thus keep the screen from locking. Or she could > click on a menu entry every time she walks away from the computer to > keep the screen from locking. Or she could write her own screen locking > program that would act as she wishes. > > You could try using the shadow 'lock account' tools; note that this is > trivial to bypass if she can sit at the computer during bootup, unless > you also take steps to lock the hard drive, lock the bios, and lock the > grub configuration. But it cannot help you enforce screen locking when > you wish. Not much short of forcibly killing her processes or rebooting > the machine will help. > > Thanks > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1767618 > > Title: > system Brightness & Lock app ignores file permissions > > Status in gnome-screensaver package in Ubuntu: > Won't Fix > > Bug description: > The "Brightness & Lock" app in "System Settings" is ignoring file > permissions. > > As a sudoo group user, I wish to restrict another user's ability to > change their user settings (particularly the screen lock settings), so > they can't switch the lock off > > (I want to restrict my daughter's access to the laptop, so I control > the password to her account - but she has worked out that she can turn > the screen lock off) > > Using sudo privileges I can change the file permissions on her > dconf/user settings > > steve@steve-laptop:/home/eve$ sudo chmod ug-w ~eve/.config/dconf/user > steve@steve-laptop:/home/eve$ sudo ls -l ~eve/.config/dconf/user > -r--r--r-- 1 eve eve 15965 Apr 28 10:34 /home/eve/.config/dconf/user > > If I then switch to her account, and use the system settings > "Brighness & Lock" app to switch the lock off. I then check the file > permissions on her dconf/user account, and find > > eve@steve-laptop:/home/eve$ sudo ls -l ~eve/.config/dconf/user > -rw-rw-r-- 1 eve eve 15965 Apr 28 10:37 /home/eve/.config/dconf/user > > I don't believe that any user should have permission to overwrite this > file if it has read-only permissions > > ProblemType: Bug > DistroRelease: Ubuntu 16.04 > Package: gnome-screensaver 3.6.1-7ubuntu4 > ProcVersionSignature: Ubuntu 4.4
Re: [Bug 1249634] Re: control center screen is non-functional and re-opens as it is closed
I have now completed an upgrade to 13:10, which has solved the issue, so I'm afraid I don't have any more data to share. The error was still happening if I ran the control-centre from the command line. Kind regards Steve Steve Gooberman-Hill Skype: steve.gooberman.hill On 11 November 2013 11:10, Sebastien Bacher wrote: > Thank you for your bug report. What package did you update? Does it > happen in a guest session? Do you get any error if you run gnome- > control-center from a command line? > > ** Changed in: gnome-control-center (Ubuntu) >Importance: Undecided => Low > > ** Changed in: gnome-control-center (Ubuntu) >Status: New => Incomplete > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1249634 > > Title: > control center screen is non-functional and re-opens as it is closed > > Status in “gnome-control-center” package in Ubuntu: > Incomplete > > Bug description: > ran apt-get update today > control center is now non functional - some screens (eg sound) don't > work at all > others behave badly (eg display) > when I try and close the control centre it immediately reopens and takes > the screen focus. reboot won't cure > > ProblemType: Bug > DistroRelease: Ubuntu 13.04 > Package: gnome-control-center 1:3.6.3-0ubuntu24.1 > ProcVersionSignature: Ubuntu 3.8.0-33.48-generic 3.8.13.11 > Uname: Linux 3.8.0-33-generic x86_64 > ApportVersion: 2.9.2-0ubuntu8.5 > Architecture: amd64 > Date: Sat Nov 9 16:56:27 2013 > EcryptfsInUse: Yes > InstallationDate: Installed on 2013-05-17 (176 days ago) > InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 > (20130424) > MarkForUpload: True > SourcePackage: gnome-control-center > UpgradeStatus: Upgraded to raring on 2013-11-09 (0 days ago) > usr_lib_gnome-control-center: >activity-log-manager-control-center 0.9.4-0ubuntu6.2 >deja-dup26.0-0ubuntu1 >gnome-control-center-signon 0.1.6bzr13.04.05-0ubuntu1.1 >gnome-control-center-unity 1.3daily13.06.19~13.04-0ubuntu1 >indicator-datetime 12.10.3daily13.03.26-0ubuntu1 > > To manage notifications about this bug go to: > > https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/1249634/+subscriptions > -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1249634 Title: control center screen is non-functional and re-opens as it is closed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/1249634/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1249634] [NEW] control center screen is non-functional and re-opens as it is closed
Public bug reported: ran apt-get update today control center is now non functional - some screens (eg sound) don't work at all others behave badly (eg display) when I try and close the control centre it immediately reopens and takes the screen focus. reboot won't cure ProblemType: Bug DistroRelease: Ubuntu 13.04 Package: gnome-control-center 1:3.6.3-0ubuntu24.1 ProcVersionSignature: Ubuntu 3.8.0-33.48-generic 3.8.13.11 Uname: Linux 3.8.0-33-generic x86_64 ApportVersion: 2.9.2-0ubuntu8.5 Architecture: amd64 Date: Sat Nov 9 16:56:27 2013 EcryptfsInUse: Yes InstallationDate: Installed on 2013-05-17 (176 days ago) InstallationMedia: Ubuntu 13.04 "Raring Ringtail" - Release amd64 (20130424) MarkForUpload: True SourcePackage: gnome-control-center UpgradeStatus: Upgraded to raring on 2013-11-09 (0 days ago) usr_lib_gnome-control-center: activity-log-manager-control-center 0.9.4-0ubuntu6.2 deja-dup26.0-0ubuntu1 gnome-control-center-signon 0.1.6bzr13.04.05-0ubuntu1.1 gnome-control-center-unity 1.3daily13.06.19~13.04-0ubuntu1 indicator-datetime 12.10.3daily13.03.26-0ubuntu1 ** Affects: gnome-control-center (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug raring third-party-packages -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gnome-control-center in Ubuntu. https://bugs.launchpad.net/bugs/1249634 Title: control center screen is non-functional and re-opens as it is closed To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-control-center/+bug/1249634/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs