[Pkg-xfce-devel] Bug#658678: Bug#658678: lightdm: leaks FDs to child processes

Yves-Alexis Perez corsac at debian.org
Sun Feb 5 09:21:34 UTC 2012


 affects lightdm
 affects debian
 security yes
 summary "lightdm leaks FDs to child processes"
 done

tag 658678 security
thanks
On dim., 2012-02-05 at 00:27 -0500, Austin Clements wrote:
> Package: lightdm
> Version: 1.0.6-3
> Severity: normal
> 
> Dear Maintainer,
> 
> lightdm appears to leak several file descriptors to the child process
> it creates for the session, which propagate to nearly every process
> running in an interactive session.
> 
> For example, running ls -l /proc/self/fd from a terminal in X yields
> 
> lrwx------ 1 amdragon amdragon 64 Feb  4 23:52 0 -> /dev/pts/15
> lrwx------ 1 amdragon amdragon 64 Feb  4 23:52 1 -> /dev/pts/15
> lr-x------ 1 amdragon amdragon 64 Feb  4 23:52 13 -> pipe:[10098]
> l-wx------ 1 amdragon amdragon 64 Feb  4 23:52 14 -> pipe:[10098]
> lr-x------ 1 amdragon amdragon 64 Feb  4 23:52 15 -> pipe:[10099]
> l-wx------ 1 amdragon amdragon 64 Feb  4 23:52 16 -> pipe:[10099]
> lrwx------ 1 amdragon amdragon 64 Feb  4 23:52 2 -> /dev/pts/15
> lr-x------ 1 amdragon amdragon 64 Feb  4 23:52 3 -> /proc/27874/fd/
> lr-x------ 1 amdragon amdragon 64 Feb  4 23:52 4 -> pipe:[9306]
> l-wx------ 1 amdragon amdragon 64 Feb  4 23:52 5 -> pipe:[9306]
> l-wx------ 1 amdragon amdragon 64 Feb  4 23:52 6
> -> /var/log/lightdm/lightdm.log
> 
> FDs 4 through 16 were inherited from the lightdm process, as can be
> seen from its open FDs,
> 
> $ sudo ls -l /proc/`pidof lightdm`/fd
> total 0
> lrwx------ 1 root root 64 Feb  4 23:54 0 -> /dev/null
> lrwx------ 1 root root 64 Feb  4 23:54 1 -> /dev/null
> lr-x------ 1 root root 64 Feb  4 23:54 10 -> pipe:[9315]
> l-wx------ 1 root root 64 Feb  4 23:54 11 -> pipe:[9315]
> lrwx------ 1 root root 64 Feb  4 23:54 12 -> socket:[10302]
> lr-x------ 1 root root 64 Feb  4 23:54 13 -> pipe:[10098]
> l-wx------ 1 root root 64 Feb  4 23:54 14 -> pipe:[10098]
> lr-x------ 1 root root 64 Feb  4 23:54 15 -> pipe:[10099]
> l-wx------ 1 root root 64 Feb  4 23:54 16 -> pipe:[10099]
> lrwx------ 1 root root 64 Feb  4 23:54 17 -> socket:[10101]
> lrwx------ 1 root root 64 Feb  4 23:54 2 -> /dev/null
> lrwx------ 1 root root 64 Feb  4 23:54 3 -> anon_inode:[eventfd]
> lr-x------ 1 root root 64 Feb  4 23:54 4 -> pipe:[9306]
> l-wx------ 1 root root 64 Feb  4 23:54 5 -> pipe:[9306]
> l-wx------ 1 root root 64 Feb  4 23:54 6
> -> /var/log/lightdm/lightdm.log
> lrwx------ 1 root root 64 Feb  4 23:54 7 -> anon_inode:[eventfd]
> lrwx------ 1 root root 64 Feb  4 23:54 8 -> socket:[8076]
> lrwx------ 1 root root 64 Feb  4 23:54 9 -> anon_inode:[eventfd]
> 
> FD 6 is particularly worrisome, as it allows any process to write to
> the root-owned lightdm log.
> 
> It might be relevant that I use an .xsession script and Xmonad with no
> desktop environment. 

Yep, you seem to be right. I don't inherit them in all my processes, but
indeed xfce4-session has them. Forwarding to upstream and tagging
security.

I'm not completely sure what are the security impact right now as I
don't exactly know what the relevant “shared” fd except the lightdm.log.
There's one where the pipe is opened by Xorg too but that might be
normal.

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20120205/6d151d73/attachment.pgp>


More information about the Pkg-xfce-devel mailing list