[Solved]18.2 Sonya guest account accesses documents and pictures

Questions about other topics - please check if your question fits better in another category before posting here
Forum rules
Before you post please read how to get help
catch22
Level 3
Level 3
Posts: 180
Joined: Mon Oct 01, 2012 7:50 am
Location: Belgium
Contact:

[Solved]18.2 Sonya guest account accesses documents and pictures

Post by catch22 » Mon Jul 03, 2017 3:54 pm

After upgrading to Mint 18.2 I was curious to try the guest account that's available automatically.
A nice feature - but to my surprise, in that account it was possible to go to some files in /home/pc_owner/pictures and also in /home/pc_owner/downloads.

Isn't the home of the pc-owner supposed to be protected from access 100 %?

It's no major issue for me - just curious to learn more :-)
Last edited by catch22 on Wed Jul 05, 2017 1:45 pm, edited 1 time in total.
done with distro-hopping! Linux Mint desktop / Bunsen Labs netbook

User avatar
JerryF
Level 11
Level 11
Posts: 3771
Joined: Mon Jun 08, 2015 1:23 pm
Location: Rhode Island, USA

Re: 18.2 Sonya guest account accesses documents and pictures

Post by JerryF » Mon Jul 03, 2017 4:20 pm

Check the permissions on your folders and files.
IF your problem has been solved, please edit your original post and add [SOLVED] to the beginning of the Subject Line. It helps other members.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: 18.2 Sonya guest account accesses documents and pictures

Post by Cosmo. » Mon Jul 03, 2017 4:47 pm

catch22 wrote:Isn't the home of the pc-owner supposed to be protected from access 100 %?
Yes, this should not be possible. Also I cannot reproduce it.

Please describe the exact steps, which brought you to the main account.

catch22
Level 3
Level 3
Posts: 180
Joined: Mon Oct 01, 2012 7:50 am
Location: Belgium
Contact:

Re: 18.2 Sonya guest account accesses documents and pictures

Post by catch22 » Mon Jul 03, 2017 5:08 pm

Cosmo. wrote:Please describe the exact steps, which brought you to the main account.
Simply in Nemo I went to /home/myaccount/ and started trying if it was full proof.
The Dropbox and most other folders were secure - permission denied - but Documents let me have access to a LibreOffice odt file.
In terminal I started mocp and could play audio files that are in the Downloads folder.
In Pictures I could see all pics there. Not much to describe - it was plain open.
done with distro-hopping! Linux Mint desktop / Bunsen Labs netbook

User avatar
MintBean
Level 9
Level 9
Posts: 2967
Joined: Fri Aug 07, 2015 6:54 am
Location: Blighty

Re: 18.2 Sonya guest account accesses documents and pictures

Post by MintBean » Mon Jul 03, 2017 5:16 pm

Check the permissions on your folders and files.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: 18.2 Sonya guest account accesses documents and pictures

Post by Cosmo. » Mon Jul 03, 2017 5:27 pm

In the starting post you wrote, that this is an upgraded system. How did you upgrade exactly? I ask, because the official upgrade path is only open since a few hours.

How did you install LightDM (in case of an official upgrade).

And again: You wrote, that you went in Nemo to /home/myaccount. If I do this I get a popup, that because of missing permissions Home cannot be displayed, if I try to enter the path /home/user-name/Downloads or /home/user-name/Pictures I get the same. (Tests done with a fresh install of LM 18.2.)

So in case you have found a bug, we need a way to reproduce it.

catch22
Level 3
Level 3
Posts: 180
Joined: Mon Oct 01, 2012 7:50 am
Location: Belgium
Contact:

Re: 18.2 Sonya guest account accesses documents and pictures

Post by catch22 » Mon Jul 03, 2017 5:41 pm

Cosmo. wrote:In the starting post you wrote, that this is an upgraded system. How did you upgrade exactly? I ask, because the official upgrade path is only open since a few hours.

How did you install LightDM (in case of an official upgrade).

And again: You wrote, that you went in Nemo to /home/myaccount. If I do this I get a popup, that because of missing permissions Home cannot be displayed, if I try to enter the path /home/user-name/Downloads or /home/user-name/Pictures I get the same. (Tests done with a fresh install of LM 18.2.)

So in case you have found a bug, we need a way to reproduce it.
The upgrade was from Mint18.1 via the Update Manager.
The lightdm I installed via instructions on the blog, like so:

Code: Select all

apt install slick-greeter lightdm-settings

Code: Select all

apt remove mdm
Unfortunately I will have to leave you in suspense, because I have to go to bed now and won't be able to test more till Wednesday evening earliest (working day ahead :( plus evening class)
done with distro-hopping! Linux Mint desktop / Bunsen Labs netbook

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: 18.2 Sonya guest account accesses documents and pictures

Post by Cosmo. » Mon Jul 03, 2017 6:36 pm

I have in the meantime upgraded a 18.1 system to 18.2 and installed LightDM. I confirm this problem and have opened an issue about this. This problem does only exist in upgraded systems, not in fresh installs of 18.2, so it was never possible to test this during the beta phase.

User avatar
laederlappen
Level 2
Level 2
Posts: 82
Joined: Fri May 19, 2017 11:34 pm
Location: Germany

Re: 18.2 Sonya guest account accesses documents and pictures

Post by laederlappen » Tue Jul 04, 2017 2:41 am

JerryF wrote:Check the permissions on your folders and files.
MintBean wrote:Check the permissions on your folders and files.
Guest-Session has AppArmor profile.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: 18.2 Sonya guest account accesses documents and pictures

Post by Cosmo. » Tue Jul 04, 2017 11:36 am

Users of an upgraded 18.2 should at now not switch to LightDM or at least disable the guest account at once. This is a serious security hole in case of a local attacker. (Fresh installs of 18.2 are not affected.)

User avatar
MintBean
Level 9
Level 9
Posts: 2967
Joined: Fri Aug 07, 2015 6:54 am
Location: Blighty

Re: 18.2 Sonya guest account accesses documents and pictures

Post by MintBean » Tue Jul 04, 2017 11:41 am

laederlappen wrote:Guest-Session has AppArmor profile.
Thanks for the info. 8)

catch22
Level 3
Level 3
Posts: 180
Joined: Mon Oct 01, 2012 7:50 am
Location: Belgium
Contact:

Re: 18.2 Sonya guest account accesses documents and pictures

Post by catch22 » Tue Jul 04, 2017 5:01 pm

Cosmo. wrote:Users of an upgraded 18.2 should at now not switch to LightDM or at least disable the guest account at once. This is a serious security hole in case of a local attacker. (Fresh installs of 18.2 are not affected.)
How do I disable this guest account?
When i go to Administration / Users and Groups it's not there!
I see my own account plus a guest account that I made myself previous to the upgrade.
done with distro-hopping! Linux Mint desktop / Bunsen Labs netbook

User avatar
Pjotr
Level 21
Level 21
Posts: 13146
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: 18.2 Sonya guest account accesses documents and pictures

Post by Pjotr » Tue Jul 04, 2017 5:14 pm

catch22 wrote:
Cosmo. wrote:Users of an upgraded 18.2 should at now not switch to LightDM or at least disable the guest account at once. This is a serious security hole in case of a local attacker. (Fresh installs of 18.2 are not affected.)
How do I disable this guest account?
When i go to Administration / Users and Groups it's not there!
I see my own account plus a guest account that I made myself previous to the upgrade.
Menu - Administration - Login Window

Set the switch to OFF for: Allow guest sessions

Reboot.
Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

catch22
Level 3
Level 3
Posts: 180
Joined: Mon Oct 01, 2012 7:50 am
Location: Belgium
Contact:

Re: 18.2 Sonya guest account accesses documents and pictures

Post by catch22 » Tue Jul 04, 2017 5:23 pm

Pjotr wrote: Menu - Administration - Login Window

Set the switch to OFF for: Allow guest sessions

Reboot.
Thanks :!:
done with distro-hopping! Linux Mint desktop / Bunsen Labs netbook

User avatar
Pjotr
Level 21
Level 21
Posts: 13146
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: 18.2 Sonya guest account accesses documents and pictures

Post by Pjotr » Tue Jul 04, 2017 6:12 pm

Cosmo. wrote:Users of an upgraded 18.2 should at now not switch to LightDM or at least disable the guest account at once. This is a serious security hole in case of a local attacker. (Fresh installs of 18.2 are not affected.)
Maybe this could be a workaround, until there's a fix? In all of the other accounts:

Code: Select all

chmod -v 700 $HOME
Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

User avatar
laederlappen
Level 2
Level 2
Posts: 82
Joined: Fri May 19, 2017 11:34 pm
Location: Germany

Re: 18.2 Sonya guest account accesses documents and pictures

Post by laederlappen » Tue Jul 04, 2017 6:27 pm

Pjotr wrote:
Cosmo. wrote:Users of an upgraded 18.2 should at now not switch to LightDM or at least disable the guest account at once. This is a serious security hole in case of a local attacker. (Fresh installs of 18.2 are not affected.)
Maybe this could be a workaround, until there's a fix? In all of the other accounts:

Code: Select all

chmod -v 700 $HOME
Works.
Seems like 18.2 upgrade doesn't install AppArmor profile which 18.2 iso has.

[EDIT]

After testing 18.2 upgrade and 18.2 iso in a VM, I can confirm that both versions have lightdm-guest-session AppAmor profile.
However in 18.2 upgrade, I couldn't run command aa-status because package apparmor was not installed.
Then I installed apparmor in 18.2 upgrade and after rebooting the system, the profile lightdm-guest-session gets loaded and guest-session works as intended.
Last edited by laederlappen on Tue Jul 04, 2017 7:06 pm, edited 1 time in total.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: 18.2 Sonya guest account accesses documents and pictures

Post by Cosmo. » Tue Jul 04, 2017 6:58 pm

Pjotr wrote:
Cosmo. wrote:Users of an upgraded 18.2 should at now not switch to LightDM or at least disable the guest account at once. This is a serious security hole in case of a local attacker. (Fresh installs of 18.2 are not affected.)
Maybe this could be a workaround, until there's a fix? In all of the other accounts:

Code: Select all

chmod -v 700 $HOME
Correct, but in this case we don't need a guest account.

It is not the task of the users to fix a security hole, this is the task of the dev team (which did not respond in 24 hours). :shock:

@laederlappen:
Might be something in this direction. But the file /etc/apparmor.d/lightddm.guest.session does exist in both systems (the upgraded and the fresh installed) and they are identical. There are indeed some differences in /etc/apparmor and /etc/apparmor.d (which possibly should not exist), but surely not all of them are related to this bug and this makes investigating difficult. (E. G. One difference concerns Firefox, what has surely nothing to do with the guest account; but possibly another leak. I am not sure about this, but I am astonished about the difference.)

So for now I warn against switching to lightdm in an upgraded system!

User avatar
laederlappen
Level 2
Level 2
Posts: 82
Joined: Fri May 19, 2017 11:34 pm
Location: Germany

Re: 18.2 Sonya guest account accesses documents and pictures

Post by laederlappen » Tue Jul 04, 2017 7:10 pm

@cosmo
I edited my previous post when you wrote your answer.
Last edited by laederlappen on Tue Jul 04, 2017 7:34 pm, edited 2 times in total.

Cosmo.
Level 23
Level 23
Posts: 17830
Joined: Sat Dec 06, 2014 7:34 am

Re: 18.2 Sonya guest account accesses documents and pictures

Post by Cosmo. » Tue Jul 04, 2017 7:31 pm

I confirm. apparmor is missing. This is either a bug in the upgrade mechanism or in the advice to switch to lightdm. I assume the first case.
There might be some reasons, why Clem left apparmor out in the upgrade process (like he did for lightdm), but in this case there would be the clear mistake in the instructions regarding lightdm, that also apparmor needs to get installed.

I confirm also, that after installing apparmor the guest session behaves as expected.

User avatar
Pjotr
Level 21
Level 21
Posts: 13146
Joined: Mon Mar 07, 2011 10:18 am
Location: The Netherlands (Holland)
Contact:

Re: 18.2 Sonya guest account accesses documents and pictures

Post by Pjotr » Wed Jul 05, 2017 4:02 am

It's not a bug in the upgrade mechanism, because that doesn't install LightDM in the first place.... It's apparently an omission in the how-to in the blog, for installing LightDM *after* the upgrade.

This is the current instruction:

Code: Select all

apt install slick-greeter lightdm-settings
Apparently it should be:

Code: Select all

apt install slick-greeter lightdm-settings apparmor
So I think a simple correction of the blog post announcing the availability of the upgrade path, should suffice. :)
Tip: 10 things to do after installing Linux Mint 19.2 Tina
Keep your Linux Mint healthy: Avoid these 10 fatal mistakes
Twitter: twitter.com/easylinuxtips
All in all, horse sense simply makes sense.

Post Reply

Return to “Other topics”