856962 – colord multiseat security issue

Bug 856962 - colord multiseat security issue

Summary: colord multiseat security issue

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	colord
Sub Component:
Version:	19
Hardware:	All
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Richard Hughes
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-09-13 08:52 UTC by Damian Ivanov
Modified:	2013-10-30 15:42 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-10-30 15:42:58 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Damian Ivanov 2012-09-13 08:52:50 UTC

In the gnome-control-center==> Color Management you can play
with the settings of a monitor attached to another seat.

Comment 1 Richard Hughes 2012-09-14 08:22:37 UTC

I've got a "plugable" USB attached seat device thingie, and F18 alpha, but do you know how to set it up so that gdm/X starts on the second seat? If I can reproduce this I can likely fix it.

Comment 2 Damian Ivanov 2012-09-14 08:27:22 UTC

Just attaching a monitor to it should pop up gdm, else file a bug against systemd or gdm I guess. You can try loginctl attach seat1 devID_of_vga_card (see loginctl seat-staus seat0 to see your devices)

Comment 3 Richard Hughes 2012-09-14 09:01:58 UTC

I guess we want to do something like http://cgit.freedesktop.org/udisks/commit/?id=91106cdc7622d9674f6083dcb524407f026a36c7 in colord.

Comment 4 Richard Hughes 2012-09-14 09:02:53 UTC

Ohh, random question. If user 1 is logged into seat A, and then user 1 also logs onto seat B, should user 1 be able to change the profiles on both seats?

Comment 5 Damian Ivanov 2012-09-14 09:07:00 UTC

Well, I think bet would be to have an option for that in a config file in /etc 
But as for default I think this must be disabled. e.g multiseat setup in a school.
One child mess the color settings of the teacher and render his seat useless until he figures out what happened.

Comment 6 Damian Ivanov 2012-09-14 09:08:32 UTC

Sorry did't read we were talking about user1 in both log in's. I filed a bug against gdm that a user shouldn't be logged on two seats at the same time as it breaks few user space apps.

Comment 7 Richard Hughes 2012-09-14 12:15:14 UTC

I'll have to get multiseat working before I can work on the policy stuff. I've committed these which at least get things 90% there:

commit 5c185b5b28c3d4e930a87474ec48937db15d536b
Author: Richard Hughes <richard>
Date:   Fri Sep 14 12:40:54 2012 +0100

    trivial: Add some self tests for the seat feature addition

:100644 100644 8235efb... 8b33a6a... M  libcolord/cd-self-test.c

commit 0e0bc873002d9fa49a3425b317f6bb1be2f89d5f
Author: Richard Hughes <richard>
Date:   Fri Sep 14 12:40:15 2012 +0100

    Set the seat for devices created in the session
    
    To do this, we look up the session for the pid and then use that to get the 
    You need to have logind available to use this new feature.

:100644 100644 970344b... 4f22550... M  configure.ac
:100644 100644 a40e8d6... 3a501e4... M  src/Makefile.am
:100644 100644 f76f943... 70e237e... M  src/cd-common.c
:100644 100644 240babc... 06bd94f... M  src/cd-common.h
:100644 100644 63a5c34... 3c89896... M  src/cd-main.c

:
commit 5c185b5b28c3d4e930a87474ec48937db15d536b
Author: Richard Hughes <richard>
Date:   Fri Sep 14 12:40:54 2012 +0100

    trivial: Add some self tests for the seat feature addition

:100644 100644 8235efb... 8b33a6a... M  libcolord/cd-self-test.c

commit 0e0bc873002d9fa49a3425b317f6bb1be2f89d5f
Author: Richard Hughes <richard>
Date:   Fri Sep 14 12:40:15 2012 +0100

    Set the seat for devices created in the session
    
    To do this, we look up the session for the pid and then use that to get the seat.
    You need to have logind available to use this new feature.

:100644 100644 970344b... 4f22550... M  configure.ac
:100644 100644 a40e8d6... 3a501e4... M  src/Makefile.am
:100644 100644 f76f943... 70e237e... M  src/cd-common.c
:100644 100644 240babc... 06bd94f... M  src/cd-common.h
:100644 100644 63a5c34... 3c89896... M  src/cd-main.c

commit d5379022c6ba804b3b15def3ffcd3232114a7e31
Author: Richard Hughes <richard>
Date:   Fri Sep 14 12:31:56 2012 +0100

    Set the seat for devices discovered using udev

:100644 100644 e46ac73... 83e1763... M  src/plugins/cd-plugin-camera.c
:100644 100644 38d583c... 48e6f98... M  src/plugins/cd-plugin-scanner.c

commit 1fda25bb03f58cde0b936dd87d207df77b00c5b2
Author: Richard Hughes <richard>
Date:   Fri Sep 14 12:29:07 2012 +0100

    Add a 'seat' property to each device
    
    This contains the seat description, e.g. 'seat0' which we can use to limit a
    user on one seats ability to change the settings of another seat.

:100644 100644 7aa6389... 58c07e7... M  client/cd-util.c
:100644 100644 9e40c1f... 4fcbacf... M  libcolord/cd-device.c
:100644 100644 1a4d25b... 96c6091... M  libcolord/cd-device.h
:100644 100644 ea93900... 7a59c2b... M  libcolord/cd-enum.h
:100644 100644 2591b89... 4126d3c... M  src/cd-device.c
:100644 100644 6c93afc... 17b067b... M  src/cd-device.h
:100644 100644 77e15d8... 63a5c34... M  src/cd-main.c
:100644 100644 c4ad583... ebf48e7... M  src/org.freedesktop.ColorManager.Device.xml

Comment 8 Fedora End Of Life 2013-04-03 19:22:39 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19

Note You need to log in before you can comment on or make changes to this bug.