[Desktop-packages] [Bug 1921655] Re: lightdm-guest-session ICEauthority error
** No longer affects: ubuntu-mate -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1921655 Title: lightdm-guest-session ICEauthority error Status in lightdm package in Ubuntu: Fix Released Status in lightdm source package in Focal: Fix Released Status in lightdm source package in Groovy: Fix Released Status in lightdm source package in Hirsute: Fix Released Bug description: [Impact] If you enable the guest session feature on e.g. Ubuntu MATE, you are met by an error message when trying to enter a guest session: "Could not update file ICEauthority file /run/user/XXX/ICEauthority" Even if it's not always a fatal error (the login may succeed after a few minutes), the user experience is really bad, and you are inclined to conclude that you are completely blocked from using the feature. The proposed fix adds a rule to the lightdm-guest-session AppArmor profile and prevents the error from happening. [Test Plan] On an updated Ubuntu MATE installation: * Enable guest session sudo sh -c 'printf "[Seat:*]\nallow-guest=true\n" >/etc/lightdm/lightdm.conf.d/50-enable-guest.conf' * Install lightdm from {focal,groovy}-proposed * Reboot You should now be able to enter a guest session without being stopped by the ICEauthority error. [Where problems could occur] This one-liner is a harmless change. The guest session is run in an unconfined mode since Ubuntu 16.10. That's why the feature is disabled by default. So if the additional rule would be wrong somehow (which I have no reason to believe), it wouldn't break the AppArmor security layer for the simple reason that it's already broken to begin with. [Original description] Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon). ## How to reproduce: - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected. - enable guest user session - try to login as guest user ## Error logs: ### Error Message: ` Could not update file ICEauthority file /run/user/XXX/ICEauthority` ### aa-notify: ``` Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/uid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/setgroups Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/gid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8624/fd/ Denied: r Logfile: /var/log/kern.log ``` ### dmesg: ``` [ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999 #ouid=0 [ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" denied_mask="r" fsuid=999 ouid=0 [ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" requested_mask="l" denied_mask="l" fsuid=999 ouid=999 target="/run/user/999/ICEauthority-c" ``` ## Solutions: ### bad but common work around Solutions I found in different forums were to move lightdm-guest-session into complain mode like this: `aa-complain /usr/lib/lightdm/lightdm-guest-session` ### maybe better sollution: My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`: ``` ... /usr/lib/lightdm/lightdm-guest-session { ... owner /run/user/[0-9]*/ICEauthority-? l,` ... } ``` I honestly have no clue about apparmor and I'm unsure where to post this but I hope this maybe helps some other people in the future. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1921655/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to :
[Desktop-packages] [Bug 1921655] Re: lightdm-guest-session ICEauthority error
** Tags removed: focal groovy hirsute verification-done-focal verification-done-groovy -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1921655 Title: lightdm-guest-session ICEauthority error Status in Ubuntu MATE: New Status in lightdm package in Ubuntu: Fix Released Status in lightdm source package in Focal: Fix Released Status in lightdm source package in Groovy: Fix Released Status in lightdm source package in Hirsute: Fix Released Bug description: [Impact] If you enable the guest session feature on e.g. Ubuntu MATE, you are met by an error message when trying to enter a guest session: "Could not update file ICEauthority file /run/user/XXX/ICEauthority" Even if it's not always a fatal error (the login may succeed after a few minutes), the user experience is really bad, and you are inclined to conclude that you are completely blocked from using the feature. The proposed fix adds a rule to the lightdm-guest-session AppArmor profile and prevents the error from happening. [Test Plan] On an updated Ubuntu MATE installation: * Enable guest session sudo sh -c 'printf "[Seat:*]\nallow-guest=true\n" >/etc/lightdm/lightdm.conf.d/50-enable-guest.conf' * Install lightdm from {focal,groovy}-proposed * Reboot You should now be able to enter a guest session without being stopped by the ICEauthority error. [Where problems could occur] This one-liner is a harmless change. The guest session is run in an unconfined mode since Ubuntu 16.10. That's why the feature is disabled by default. So if the additional rule would be wrong somehow (which I have no reason to believe), it wouldn't break the AppArmor security layer for the simple reason that it's already broken to begin with. [Original description] Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon). ## How to reproduce: - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected. - enable guest user session - try to login as guest user ## Error logs: ### Error Message: ` Could not update file ICEauthority file /run/user/XXX/ICEauthority` ### aa-notify: ``` Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/uid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/setgroups Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/gid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8624/fd/ Denied: r Logfile: /var/log/kern.log ``` ### dmesg: ``` [ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999 #ouid=0 [ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" denied_mask="r" fsuid=999 ouid=0 [ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" requested_mask="l" denied_mask="l" fsuid=999 ouid=999 target="/run/user/999/ICEauthority-c" ``` ## Solutions: ### bad but common work around Solutions I found in different forums were to move lightdm-guest-session into complain mode like this: `aa-complain /usr/lib/lightdm/lightdm-guest-session` ### maybe better sollution: My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`: ``` ... /usr/lib/lightdm/lightdm-guest-session { ... owner /run/user/[0-9]*/ICEauthority-? l,` ... } ``` I honestly have no clue about apparmor and I'm unsure where to post this but I hope this maybe helps some other people in the future. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1921655/+subscriptions -- Mailing list:
[Desktop-packages] [Bug 1921655] Re: lightdm-guest-session ICEauthority error
This bug was fixed in the package lightdm - 1.30.0-0ubuntu4~20.04.1 --- lightdm (1.30.0-0ubuntu4~20.04.1) focal; urgency=medium * debian/patches/fix-guest-session-ICEauthority-error.patch: - Fixes AppArmor issue which prevented access to the guest session feature in e.g. MATE (LP: #1921655). Thanks to Jonas Wiegert for the solution! -- Gunnar Hjalmarsson Mon, 12 Apr 2021 19:57:08 +0200 ** Changed in: lightdm (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1921655 Title: lightdm-guest-session ICEauthority error Status in Ubuntu MATE: New Status in lightdm package in Ubuntu: Fix Released Status in lightdm source package in Focal: Fix Released Status in lightdm source package in Groovy: Fix Released Status in lightdm source package in Hirsute: Fix Released Bug description: [Impact] If you enable the guest session feature on e.g. Ubuntu MATE, you are met by an error message when trying to enter a guest session: "Could not update file ICEauthority file /run/user/XXX/ICEauthority" Even if it's not always a fatal error (the login may succeed after a few minutes), the user experience is really bad, and you are inclined to conclude that you are completely blocked from using the feature. The proposed fix adds a rule to the lightdm-guest-session AppArmor profile and prevents the error from happening. [Test Plan] On an updated Ubuntu MATE installation: * Enable guest session sudo sh -c 'printf "[Seat:*]\nallow-guest=true\n" >/etc/lightdm/lightdm.conf.d/50-enable-guest.conf' * Install lightdm from {focal,groovy}-proposed * Reboot You should now be able to enter a guest session without being stopped by the ICEauthority error. [Where problems could occur] This one-liner is a harmless change. The guest session is run in an unconfined mode since Ubuntu 16.10. That's why the feature is disabled by default. So if the additional rule would be wrong somehow (which I have no reason to believe), it wouldn't break the AppArmor security layer for the simple reason that it's already broken to begin with. [Original description] Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon). ## How to reproduce: - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected. - enable guest user session - try to login as guest user ## Error logs: ### Error Message: ` Could not update file ICEauthority file /run/user/XXX/ICEauthority` ### aa-notify: ``` Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/uid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/setgroups Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/gid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8624/fd/ Denied: r Logfile: /var/log/kern.log ``` ### dmesg: ``` [ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999 #ouid=0 [ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" denied_mask="r" fsuid=999 ouid=0 [ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" requested_mask="l" denied_mask="l" fsuid=999 ouid=999 target="/run/user/999/ICEauthority-c" ``` ## Solutions: ### bad but common work around Solutions I found in different forums were to move lightdm-guest-session into complain mode like this: `aa-complain /usr/lib/lightdm/lightdm-guest-session` ### maybe better sollution: My fix would be to add this to
[Desktop-packages] [Bug 1921655] Re: lightdm-guest-session ICEauthority error
This bug was fixed in the package lightdm - 1.30.0-0ubuntu4~20.10.1 --- lightdm (1.30.0-0ubuntu4~20.10.1) groovy; urgency=medium * debian/patches/fix-guest-session-ICEauthority-error.patch: - Fixes AppArmor issue which prevented access to the guest session feature in e.g. MATE (LP: #1921655). Thanks to Jonas Wiegert for the solution! * debian/patches/dont-turn-format-warnings-into-errors.patch: - Works around FTBFS on s390x with gcc versions higher than gcc-9. -- Gunnar Hjalmarsson Mon, 12 Apr 2021 19:56:00 +0200 ** Changed in: lightdm (Ubuntu Groovy) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1921655 Title: lightdm-guest-session ICEauthority error Status in Ubuntu MATE: New Status in lightdm package in Ubuntu: Fix Released Status in lightdm source package in Focal: Fix Committed Status in lightdm source package in Groovy: Fix Released Status in lightdm source package in Hirsute: Fix Released Bug description: [Impact] If you enable the guest session feature on e.g. Ubuntu MATE, you are met by an error message when trying to enter a guest session: "Could not update file ICEauthority file /run/user/XXX/ICEauthority" Even if it's not always a fatal error (the login may succeed after a few minutes), the user experience is really bad, and you are inclined to conclude that you are completely blocked from using the feature. The proposed fix adds a rule to the lightdm-guest-session AppArmor profile and prevents the error from happening. [Test Plan] On an updated Ubuntu MATE installation: * Enable guest session sudo sh -c 'printf "[Seat:*]\nallow-guest=true\n" >/etc/lightdm/lightdm.conf.d/50-enable-guest.conf' * Install lightdm from {focal,groovy}-proposed * Reboot You should now be able to enter a guest session without being stopped by the ICEauthority error. [Where problems could occur] This one-liner is a harmless change. The guest session is run in an unconfined mode since Ubuntu 16.10. That's why the feature is disabled by default. So if the additional rule would be wrong somehow (which I have no reason to believe), it wouldn't break the AppArmor security layer for the simple reason that it's already broken to begin with. [Original description] Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon). ## How to reproduce: - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected. - enable guest user session - try to login as guest user ## Error logs: ### Error Message: ` Could not update file ICEauthority file /run/user/XXX/ICEauthority` ### aa-notify: ``` Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/uid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/setgroups Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/gid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8624/fd/ Denied: r Logfile: /var/log/kern.log ``` ### dmesg: ``` [ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999 #ouid=0 [ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" denied_mask="r" fsuid=999 ouid=0 [ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" requested_mask="l" denied_mask="l" fsuid=999 ouid=999 target="/run/user/999/ICEauthority-c" ``` ## Solutions: ### bad but common work around Solutions I found in different forums were to move lightdm-guest-session into complain mode like this:
[Desktop-packages] [Bug 1921655] Re: lightdm-guest-session ICEauthority error
I verified the test plan * on 20.04 using lightdm 1.30.0-0ubuntu4~20.04.1 from focal-proposed * on 20.10 using lightdm 1.30.0-0ubuntu4~20.10.1 from groovy-proposed ** Tags removed: verification-needed verification-needed-focal verification-needed-groovy ** Tags added: verification-done verification-done-focal verification-done-groovy -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1921655 Title: lightdm-guest-session ICEauthority error Status in Ubuntu MATE: New Status in lightdm package in Ubuntu: Fix Released Status in lightdm source package in Focal: Fix Committed Status in lightdm source package in Groovy: Fix Committed Status in lightdm source package in Hirsute: Fix Released Bug description: [Impact] If you enable the guest session feature on e.g. Ubuntu MATE, you are met by an error message when trying to enter a guest session: "Could not update file ICEauthority file /run/user/XXX/ICEauthority" Even if it's not always a fatal error (the login may succeed after a few minutes), the user experience is really bad, and you are inclined to conclude that you are completely blocked from using the feature. The proposed fix adds a rule to the lightdm-guest-session AppArmor profile and prevents the error from happening. [Test Plan] On an updated Ubuntu MATE installation: * Enable guest session sudo sh -c 'printf "[Seat:*]\nallow-guest=true\n" >/etc/lightdm/lightdm.conf.d/50-enable-guest.conf' * Install lightdm from {focal,groovy}-proposed * Reboot You should now be able to enter a guest session without being stopped by the ICEauthority error. [Where problems could occur] This one-liner is a harmless change. The guest session is run in an unconfined mode since Ubuntu 16.10. That's why the feature is disabled by default. So if the additional rule would be wrong somehow (which I have no reason to believe), it wouldn't break the AppArmor security layer for the simple reason that it's already broken to begin with. [Original description] Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon). ## How to reproduce: - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected. - enable guest user session - try to login as guest user ## Error logs: ### Error Message: ` Could not update file ICEauthority file /run/user/XXX/ICEauthority` ### aa-notify: ``` Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/uid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/setgroups Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/gid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8624/fd/ Denied: r Logfile: /var/log/kern.log ``` ### dmesg: ``` [ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999 #ouid=0 [ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" denied_mask="r" fsuid=999 ouid=0 [ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" requested_mask="l" denied_mask="l" fsuid=999 ouid=999 target="/run/user/999/ICEauthority-c" ``` ## Solutions: ### bad but common work around Solutions I found in different forums were to move lightdm-guest-session into complain mode like this: `aa-complain /usr/lib/lightdm/lightdm-guest-session` ### maybe better sollution: My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`: ``` ... /usr/lib/lightdm/lightdm-guest-session { ... owner /run/user/[0-9]*/ICEauthority-? l,` ... } ``` I honestly have no clue
[Desktop-packages] [Bug 1921655] Re: lightdm-guest-session ICEauthority error
Hello Jonas, or anyone else affected, Accepted lightdm into groovy-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/lightdm/1.30.0-0ubuntu4~20.10.1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- groovy to verification-done-groovy. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-groovy. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: lightdm (Ubuntu Groovy) Status: In Progress => Fix Committed ** Tags added: verification-needed verification-needed-groovy -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1921655 Title: lightdm-guest-session ICEauthority error Status in Ubuntu MATE: New Status in lightdm package in Ubuntu: Fix Released Status in lightdm source package in Focal: Fix Committed Status in lightdm source package in Groovy: Fix Committed Status in lightdm source package in Hirsute: Fix Released Bug description: [Impact] If you enable the guest session feature on e.g. Ubuntu MATE, you are met by an error message when trying to enter a guest session: "Could not update file ICEauthority file /run/user/XXX/ICEauthority" Even if it's not always a fatal error (the login may succeed after a few minutes), the user experience is really bad, and you are inclined to conclude that you are completely blocked from using the feature. The proposed fix adds a rule to the lightdm-guest-session AppArmor profile and prevents the error from happening. [Test Plan] On an updated Ubuntu MATE installation: * Enable guest session sudo sh -c 'printf "[Seat:*]\nallow-guest=true\n" >/etc/lightdm/lightdm.conf.d/50-enable-guest.conf' * Install lightdm from {focal,groovy}-proposed * Reboot You should now be able to enter a guest session without being stopped by the ICEauthority error. [Where problems could occur] This one-liner is a harmless change. The guest session is run in an unconfined mode since Ubuntu 16.10. That's why the feature is disabled by default. So if the additional rule would be wrong somehow (which I have no reason to believe), it wouldn't break the AppArmor security layer for the simple reason that it's already broken to begin with. [Original description] Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon). ## How to reproduce: - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected. - enable guest user session - try to login as guest user ## Error logs: ### Error Message: ` Could not update file ICEauthority file /run/user/XXX/ICEauthority` ### aa-notify: ``` Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/uid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/setgroups Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/gid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8624/fd/ Denied: r Logfile: /var/log/kern.log ``` ### dmesg: ``` [ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999 #ouid=0 [ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r"
[Desktop-packages] [Bug 1921655] Re: lightdm-guest-session ICEauthority error
** Description changed: + [Impact] + + If you enable the guest session feature on e.g. Ubuntu MATE, you are met + by an error message when trying to enter a guest session: + + "Could not update file ICEauthority file /run/user/XXX/ICEauthority" + + Even if it's not always a fatal error (the login may succeed after a few + minutes), the user experience is really bad, and you are inclined to + conclude that you are completely blocked from using the feature. + + The proposed fix adds a rule to the lightdm-guest-session AppArmor + profile and prevents the error from happening. + + [Test Plan] + + On an updated Ubuntu MATE installation: + + * Enable guest session + + sudo sh -c 'printf "[Seat:*]\nallow-guest=true\n" + >/etc/lightdm/lightdm.conf.d/50-enable-guest.conf' + + * Install lightdm from {focal,groovy}-proposed + + * Reboot + + You should now be able to enter a guest session without being stopped by + the ICEauthority error. + + [Where problems could occur] + + This one-liner is a harmless change. + + The guest session is run in an unconfined mode since Ubuntu 16.10. + That's why the feature is disabled by default. + + So if the additional rule would be wrong somehow (which I have no reason + to believe), it wouldn't break the AppArmor security layer for the + simple reason that it's already broken to begin with. + + [Original description] + Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon). ## How to reproduce: - - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected. - - enable guest user session - - try to login as guest user + - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected. + - enable guest user session + - try to login as guest user ## Error logs: ### Error Message: ` Could not update file ICEauthority file /run/user/XXX/ICEauthority` ### aa-notify: - ``` + ``` Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/uid_map Denied: w Logfile: /var/log/kern.log - + Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/setgroups Denied: w Logfile: /var/log/kern.log - + Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/gid_map Denied: w Logfile: /var/log/kern.log - + Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8624/fd/ Denied: r Logfile: /var/log/kern.log ``` ### dmesg: ``` [ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999 #ouid=0 [ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" denied_mask="r" fsuid=999 ouid=0 [ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" requested_mask="l" denied_mask="l" fsuid=999 ouid=999 target="/run/user/999/ICEauthority-c" ``` ## Solutions: ### bad but common work around - Solutions I found in different forums were to move lightdm-guest-session into complain mode like this: + Solutions I found in different forums were to move lightdm-guest-session into complain mode like this: `aa-complain /usr/lib/lightdm/lightdm-guest-session` ### maybe better sollution: My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`: ``` ... /usr/lib/lightdm/lightdm-guest-session { ... - owner /run/user/[0-9]*/ICEauthority-? l,` + owner /run/user/[0-9]*/ICEauthority-? l,` ... } ``` I honestly have no clue about apparmor and I'm unsure where to post this but I hope this maybe helps some other people in the future. ** Changed in: lightdm (Ubuntu Groovy) Status: Incomplete => In Progress ** Changed in: lightdm (Ubuntu Focal) Status: Triaged => In Progress -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu.
[Desktop-packages] [Bug 1921655] Re: lightdm-guest-session ICEauthority error
** Changed in: lightdm (Ubuntu Groovy) Status: Triaged => Incomplete -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1921655 Title: lightdm-guest-session ICEauthority error Status in Ubuntu MATE: New Status in lightdm package in Ubuntu: Fix Released Status in lightdm source package in Focal: Triaged Status in lightdm source package in Groovy: Incomplete Status in lightdm source package in Hirsute: Fix Released Bug description: Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon). ## How to reproduce: - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected. - enable guest user session - try to login as guest user ## Error logs: ### Error Message: ` Could not update file ICEauthority file /run/user/XXX/ICEauthority` ### aa-notify: ``` Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/uid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/setgroups Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/gid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8624/fd/ Denied: r Logfile: /var/log/kern.log ``` ### dmesg: ``` [ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999 #ouid=0 [ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" denied_mask="r" fsuid=999 ouid=0 [ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" requested_mask="l" denied_mask="l" fsuid=999 ouid=999 target="/run/user/999/ICEauthority-c" ``` ## Solutions: ### bad but common work around Solutions I found in different forums were to move lightdm-guest-session into complain mode like this: `aa-complain /usr/lib/lightdm/lightdm-guest-session` ### maybe better sollution: My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`: ``` ... /usr/lib/lightdm/lightdm-guest-session { ... owner /run/user/[0-9]*/ICEauthority-? l,` ... } ``` I honestly have no clue about apparmor and I'm unsure where to post this but I hope this maybe helps some other people in the future. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1921655/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1921655] Re: lightdm-guest-session ICEauthority error
This bug was fixed in the package lightdm - 1.30.0-0ubuntu4 --- lightdm (1.30.0-0ubuntu4) hirsute; urgency=medium * debian/patches/fix-guest-session-ICEauthority-error.patch: - Fixes AppArmor issue which prevented access to the guest session feature in e.g. MATE (LP: #1921655). Thanks to Jonas Wiegert for the solution! * debian/patches/Glibc-2.33-fix.patch: - Cherry picked from upstream to prevent FTBFS * debian/patches/dont-turn-format-warnings-into-errors.patch: - Works around FTBFS on s390x with gcc versions higher than gcc-9. -- Gunnar Hjalmarsson Sun, 11 Apr 2021 00:18:06 +0200 ** Changed in: lightdm (Ubuntu Hirsute) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1921655 Title: lightdm-guest-session ICEauthority error Status in Ubuntu MATE: New Status in lightdm package in Ubuntu: Fix Released Status in lightdm source package in Focal: Triaged Status in lightdm source package in Groovy: Triaged Status in lightdm source package in Hirsute: Fix Released Bug description: Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon). ## How to reproduce: - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected. - enable guest user session - try to login as guest user ## Error logs: ### Error Message: ` Could not update file ICEauthority file /run/user/XXX/ICEauthority` ### aa-notify: ``` Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/uid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/setgroups Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/gid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8624/fd/ Denied: r Logfile: /var/log/kern.log ``` ### dmesg: ``` [ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999 #ouid=0 [ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" denied_mask="r" fsuid=999 ouid=0 [ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" requested_mask="l" denied_mask="l" fsuid=999 ouid=999 target="/run/user/999/ICEauthority-c" ``` ## Solutions: ### bad but common work around Solutions I found in different forums were to move lightdm-guest-session into complain mode like this: `aa-complain /usr/lib/lightdm/lightdm-guest-session` ### maybe better sollution: My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`: ``` ... /usr/lib/lightdm/lightdm-guest-session { ... owner /run/user/[0-9]*/ICEauthority-? l,` ... } ``` I honestly have no clue about apparmor and I'm unsure where to post this but I hope this maybe helps some other people in the future. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1921655/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1921655] Re: lightdm-guest-session ICEauthority error
Build failures resolved, and I have uploaded a fix to the hirsute queue to start with. ** Also affects: lightdm (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: lightdm (Ubuntu Hirsute) Importance: Medium Status: Triaged ** Also affects: lightdm (Ubuntu Groovy) Importance: Undecided Status: New ** Changed in: lightdm (Ubuntu Hirsute) Status: Triaged => Fix Committed ** Changed in: lightdm (Ubuntu Hirsute) Assignee: (unassigned) => Gunnar Hjalmarsson (gunnarhj) ** Changed in: lightdm (Ubuntu Groovy) Importance: Undecided => Medium ** Changed in: lightdm (Ubuntu Groovy) Status: New => Triaged ** Changed in: lightdm (Ubuntu Groovy) Assignee: (unassigned) => Gunnar Hjalmarsson (gunnarhj) ** Changed in: lightdm (Ubuntu Focal) Importance: Undecided => Medium ** Changed in: lightdm (Ubuntu Focal) Status: New => Triaged ** Changed in: lightdm (Ubuntu Focal) Assignee: (unassigned) => Gunnar Hjalmarsson (gunnarhj) -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1921655 Title: lightdm-guest-session ICEauthority error Status in Ubuntu MATE: New Status in lightdm package in Ubuntu: Fix Committed Status in lightdm source package in Focal: Triaged Status in lightdm source package in Groovy: Triaged Status in lightdm source package in Hirsute: Fix Committed Bug description: Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon). ## How to reproduce: - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected. - enable guest user session - try to login as guest user ## Error logs: ### Error Message: ` Could not update file ICEauthority file /run/user/XXX/ICEauthority` ### aa-notify: ``` Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/uid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/setgroups Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/gid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8624/fd/ Denied: r Logfile: /var/log/kern.log ``` ### dmesg: ``` [ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999 #ouid=0 [ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" denied_mask="r" fsuid=999 ouid=0 [ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" requested_mask="l" denied_mask="l" fsuid=999 ouid=999 target="/run/user/999/ICEauthority-c" ``` ## Solutions: ### bad but common work around Solutions I found in different forums were to move lightdm-guest-session into complain mode like this: `aa-complain /usr/lib/lightdm/lightdm-guest-session` ### maybe better sollution: My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`: ``` ... /usr/lib/lightdm/lightdm-guest-session { ... owner /run/user/[0-9]*/ICEauthority-? l,` ... } ``` I honestly have no clue about apparmor and I'm unsure where to post this but I hope this maybe helps some other people in the future. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1921655/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1921655] Re: lightdm-guest-session ICEauthority error
Upstream github issue: https://github.com/canonical/lightdm/issues/185 ** Bug watch added: github.com/canonical/lightdm/issues #185 https://github.com/canonical/lightdm/issues/185 ** Changed in: lightdm (Ubuntu) Status: New => Triaged ** Changed in: lightdm (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1921655 Title: lightdm-guest-session ICEauthority error Status in Ubuntu MATE: New Status in lightdm package in Ubuntu: Triaged Bug description: Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon). ## How to reproduce: - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected. - enable guest user session - try to login as guest user ## Error logs: ### Error Message: ` Could not update file ICEauthority file /run/user/XXX/ICEauthority` ### aa-notify: ``` Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/uid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/setgroups Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/gid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8624/fd/ Denied: r Logfile: /var/log/kern.log ``` ### dmesg: ``` [ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999 #ouid=0 [ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" denied_mask="r" fsuid=999 ouid=0 [ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" requested_mask="l" denied_mask="l" fsuid=999 ouid=999 target="/run/user/999/ICEauthority-c" ``` ## Solutions: ### bad but common work around Solutions I found in different forums were to move lightdm-guest-session into complain mode like this: `aa-complain /usr/lib/lightdm/lightdm-guest-session` ### maybe better sollution: My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`: ``` ... /usr/lib/lightdm/lightdm-guest-session { ... owner /run/user/[0-9]*/ICEauthority-? l,` ... } ``` I honestly have no clue about apparmor and I'm unsure where to post this but I hope this maybe helps some other people in the future. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1921655/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1921655] Re: lightdm-guest-session ICEauthority error
Thanks for your investigation and report! I'd like to help fixing this, but unfortunately lightdm fails to build in hirsute at the moment, which blocks me from proceeding. https://launchpad.net/ubuntu/+archive/test- rebuild-20210325-hirsute/+build/21263293 Have asked for help with spotting what causes the build failure. ** Tags added: groovy hirsute ** Also affects: lightdm Importance: Undecided Status: New ** No longer affects: lightdm -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1921655 Title: lightdm-guest-session ICEauthority error Status in Ubuntu MATE: New Status in lightdm package in Ubuntu: Triaged Bug description: Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon). ## How to reproduce: - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected. - enable guest user session - try to login as guest user ## Error logs: ### Error Message: ` Could not update file ICEauthority file /run/user/XXX/ICEauthority` ### aa-notify: ``` Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/uid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/setgroups Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/gid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8624/fd/ Denied: r Logfile: /var/log/kern.log ``` ### dmesg: ``` [ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999 #ouid=0 [ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" denied_mask="r" fsuid=999 ouid=0 [ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" requested_mask="l" denied_mask="l" fsuid=999 ouid=999 target="/run/user/999/ICEauthority-c" ``` ## Solutions: ### bad but common work around Solutions I found in different forums were to move lightdm-guest-session into complain mode like this: `aa-complain /usr/lib/lightdm/lightdm-guest-session` ### maybe better sollution: My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`: ``` ... /usr/lib/lightdm/lightdm-guest-session { ... owner /run/user/[0-9]*/ICEauthority-? l,` ... } ``` I honestly have no clue about apparmor and I'm unsure where to post this but I hope this maybe helps some other people in the future. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1921655/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1921655] Re: lightdm-guest-session ICEauthority error
** Tags added: focal ** Also affects: lightdm (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1921655 Title: lightdm-guest-session ICEauthority error Status in Ubuntu MATE: New Status in lightdm package in Ubuntu: New Bug description: Hello I ran into trouble to start the lightdm-guest-session in linux mint (cinnamon). ## How to reproduce: - boot linux mint (20.02) or ubuntu mate (20.04) I haven't tested other distros but I think others are also affected. - enable guest user session - try to login as guest user ## Error logs: ### Error Message: ` Could not update file ICEauthority file /run/user/XXX/ICEauthority` ### aa-notify: ``` Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/uid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/setgroups Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8125/gid_map Denied: w Logfile: /var/log/kern.log Profile: /usr/lib/lightdm/lightdm-guest-session Operation: open Name: /proc/8624/fd/ Denied: r Logfile: /var/log/kern.log ``` ### dmesg: ``` [ 218.831289] audit: type=1400 audit(1616864450.287:76): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=3916 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.263045] audit: type=1400 audit(1616865388.720:1084): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/9899/fd/" pid=9899 comm="gpg-agent" requested_mask="r" denied_mask="r" fsuid=999 #ouid=0 [ 1157.899223] audit: type=1400 audit(1616865389.356:1085): apparmor="DENIED" operation="open" profile="/usr/lib/lightdm/lightdm-guest-session" name="/proc/1/cgroup" pid=9840 comm="cinnamon-sessio" requested_mask="r" denied_mask="r" fsuid=999 ouid=0 [ 1157.899445] audit: type=1400 audit(1616865389.360:1086): apparmor="DENIED" operation="sendmsg" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/systemd/journal/dev-log" pid=9840 comm="cinnamon-sessio" requested_mask="w" denied_mask="w" fsuid=999 ouid=0 [ 1157.903410] audit: type=1400 audit(1616865389.364:1087): apparmor="DENIED" operation="link" profile="/usr/lib/lightdm/lightdm-guest-session" name="/run/user/999/ICEauthority-l" pid=9840 comm="cinnamon-sessio" requested_mask="l" denied_mask="l" fsuid=999 ouid=999 target="/run/user/999/ICEauthority-c" ``` ## Solutions: ### bad but common work around Solutions I found in different forums were to move lightdm-guest-session into complain mode like this: `aa-complain /usr/lib/lightdm/lightdm-guest-session` ### maybe better sollution: My fix would be to add this to `/etc/apparmor.d/lightdm-guest-session`: ``` ... /usr/lib/lightdm/lightdm-guest-session { ... owner /run/user/[0-9]*/ICEauthority-? l,` ... } ``` I honestly have no clue about apparmor and I'm unsure where to post this but I hope this maybe helps some other people in the future. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-mate/+bug/1921655/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp