It was reported that sddm has several issues leading to local privilege escalation: [1] The xauth cookie handling code calls xauth binary via popen() as root, which in turn dumps and creates files as root in users ~. [2] After xauth has done its job, sddm chowns() the ~/.Xauthority file to user. This is a race and a local root exploit. [3] The .xsession-errors file is created in ~ but as root. This allows to destroy arbitrary system files. Upstream patch is at [4]. [1] https://bugzilla.suse.com/show_bug.cgi?id=897788#c7 [2] https://bugzilla.suse.com/show_bug.cgi?id=897788#c8 [3] https://bugzilla.suse.com/show_bug.cgi?id=897788#c9 [4] https://github.com/sddm/sddm/pull/280
Created sddm tracking bugs for this issue: Affects: fedora-all [bug 1149629]
Proposed as a Freeze Exception for 21-beta by Fedora user rdieter using the blocker tracking app because: local privilege escalation security issue, associated bodhi update has requisite karma.
Discussed at 2014-10-22 freeze exception review meeting: http://meetbot.fedoraproject.org/fedora-blocker-review/2014-10-22/f21-blocker-review.2014-10-22-16.03.log.txt . Accepted as a freeze exception issue - obviously, privescs in a release-blocking desktop's login manager are V. Bad. It'd be good to have a fix for this ASAP.
The fix is already queued for stable as FEDORA-2014-12442, it just wants to be pulled in.
There's a caveat however: fedora-livecd-kde-base.ks does this: # set up autologin for user liveuser sed -i 's/^AutoUser=.*/AutoUser=liveuser/' /etc/sddm.conf This needs updating when/if FEDORA-2014-12242 hits, for 2 reasons: 1. AutoUser= is not the syntax for the latest sddm, it now uses User= in an [Autologin] group. 2. There is no default /etc/sddm.conf shipped anymore on which one could run sed. IMHO, this is very user-unfriendly. The package should ship a default config file that users can edit. But the kickstart could probably just use cat instead of sed for now. Martin Bříza, can you please update the master branch of spin-kickstarts with the new logic ASAP, or tell me what to put in there, so we have something to cherry-pick? Rawhide already has the new SDDM, so this should have already happened! (There's no way autologin is working on Rawhide KDE live images right now.) Is this enough? cat >/etc/sddm.conf <<EOF [Autologin] User=liveuser EOF Or do we have to generate a complete config file?
Created attachment 949792 [details] Patch for spin-kickstarts Seems I can't push to spin-kickstarts - here is a patch that should fix the problem
applied to master.
now fixed on master - mbriza, you can't use EOF there, because you're nested within the "cat >> /etc/rc.d/init.d/livesys << EOF" . You have to use something else - see how the other blocks use MENU_EOF, AKONADI_EOF, etc etc. I changed it to use SDDM_EOF.
I built alive image with the new sddm and mbriza's patch to spin-kickstarts. It black screens on boot. /var/log/sddm.log has: (EE) DAEMON: Failed to find command for session: "plasma.desktop"
sddm-0.9.0-2.20141007git6a28c29b.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
Whoops, forgot to note that I fixed c#9.
Setting ON_QA for F21, we pulled the updated sddm into Beta.
VERIFIED at least that the updated version is in Beta RC4 and works correctly.
The updated sddm was pushed stable. Closing.