Bug 22500

Summary: bash is executing ~/.profile even though ~/.bash_profile exists
Product: Mageia Reporter: Bit Twister <bittwister2>
Component: RPM PackagesAssignee: Shlomi Fish <shlomif>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: curtis_mageia, jani.valimaa, marja11, tmb
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: lightdm-1.18.3-3.mga6.src.rpm CVE:
Status comment:

Description Bit Twister 2018-02-01 00:54:55 CET 
Description of problem: mga6 official

bash is executing ~/.profile even though ~/.bash_profile exists upon login.

Invocation 4'th paragraph of man bash indicates ~/.bash_login and ~/.profile will not be executed if ~/.bash_profile exists.

       When bash is invoked as an interactive login shell, or as a  non-inter‐
       active  shell with the --login option, it first reads and executes com‐
       mands from the file /etc/profile, if that file exists.   After  reading
       that file, it looks for ~/.bash_profile, ~/.bash_login, and ~/.profile,
       in that order, and reads and executes commands from the first one  that
       exists  and  is  readable.

Seems like an easy way for malware to invoke its self without the user knowing ~/.profile is being executed during login.


Version-Release number of selected component (if applicable):


How reproducible: always


Steps to Reproduce:
1. echo "touch dot_profile.ran" >> ~/.profile
2. chmod +r ~/.profile
3. echo "touch dot_bash_login.ran " >> ~/.bash_login
4. chmod +x ~/.bash_login
5. log out/in
6. click up a terminal
7. ls -al *ran
Comment 1 Marja Van Waes 2018-02-01 15:14:28 CET 
Assigning to the registered maintainer.

CC: (none) => marja11
Assignee: bugsquad => shlomif

Comment 2 Thomas Backlund 2018-02-01 15:18:12 CET 
and what would prevent the same malware to invoke itself from .bash_profile ?

 :)

CC: (none) => tmb

Comment 3 Shlomi Fish 2018-02-01 15:57:57 CET 
Everything seems fine here on mga7, in a new user - ~/.profile does not get executed. I also agree with tmb's reasoning. Can I close this as wontfix?
Comment 4 Bit Twister 2018-02-01 16:53:38 CET 
(In reply to Shlomi Fish from comment #3)
>  I also agree with tmb's reasoning. Can I close this as wontfix?

I can also see tmb's reasoning, not everyone knows about ~/.profile and ~/.bash_login, but if they were looking through /etc/profile, /etc/bashrc, ~/.bash_profile they will not see where the malware was launched.

I mentioned it as just an example and am not here to defend other ways to insert malware. 

The bug is that bash is not following the defined Invocation rules.


> Everything seems fine here on mga7, in a new user - ~/.profile does not get
> executed.

Well, it does on my mga6 upgraded to Cauldron. No idea if it matters, running 

$ cat /etc/sysconfig/desktop 
DISPLAYMANAGER=LIGHTDM

$ echo $XDG_CURRENT_DESKTOP
XFCE
Comment 5 Jani Välimaa 2018-02-02 19:16:55 CET 
It comes from lightdm's /etc/lightdm/Xsession. I've added the sourcing calls there [1], but can't remember what was the exact problem.

I can drop the wrapper scriptlet from Cauldron and see if it causes issues.

[1] http://svnweb.mageia.org/packages?view=revision&revision=263830

CC: (none) => jani.valimaa

Comment 6 Bit Twister 2018-02-02 22:27:17 CET 
(In reply to Jani Välimaa from comment #5)
> It comes from lightdm's /etc/lightdm/Xsession. I've added the sourcing calls
> there [1], but can't remember what was the exact problem.

Heheh, always helps to add reason for change in the change log. :)
If not a comment above the code.

Work around: Prevent *profile calls.

Not noticing any impact in mga6 or mga7 after reboot.


]$ cat /etc/lightdm/Xsession
#!/bin/bash -login

if [ 1 -eq 0 ] ; then
[ -f /etc/profile ] && . /etc/profile
[ -f ~/.profile ] && . ~/.profile
fi

exec /etc/X11/Xsession $*

# Xsession ends here

Source RPM: bash-4.3-48.3.mga6.src.rpm => lightdm-1.18.3-3.mga6.src.rpm

Comment 7 Bit Twister 2018-02-03 01:17:15 CET 
latest lightdm-1.25.1-4.mga7 release removes /etc/lightdm/Xsession and prevents gui login.

Workaround.

created or restore /etc/lightdm/Xsession
Comment 8 Jani Välimaa 2018-02-03 09:17:30 CET 
(In reply to Bit Twister from comment #7)
> latest lightdm-1.25.1-4.mga7 release removes /etc/lightdm/Xsession and
> prevents gui login.
> 
> Workaround.
> 
> created or restore /etc/lightdm/Xsession

I can't reproduce the login issue with -4.mga7.

/etc/lightdm/Xsession was removed, but it's not used in anywhere. Lightdm config was switched to use Xsession wrapper from xinitrc.

$ grep -r Xsession /etc/lightdm/
/etc/lightdm/lightdm.conf.d/50-mageia.conf:session-wrapper=/usr/share/X11/xdm/Xsession

# grep -r Xsession /var/log/lightdm/lightdm.log
[+483.69s] DEBUG: Session pid=976: Running command /usr/share/X11/xdm/Xsession startxfce4
Comment 9 Bit Twister 2018-02-03 10:44:01 CET 
(In reply to Jani Välimaa from comment #8)
> 
> I can't reproduce the login issue with -4.mga7.
> 

I do not know what is going on. I tried 3 login attempts after the update and during DE init I was sent back to log login screen.
scp'ed a copy from mga6, next log in completed.

just now wiped it out, cleared all logs and rebooted and login works.
Curtis Hildebrand 2018-05-21 08:39:18 CEST

CC: (none) => curtis_mageia

Comment 10 Bit Twister 2018-09-03 08:15:31 CEST 
closing bug

Status: NEW => RESOLVED
Resolution: (none) => FIXED