[OpenIndiana-discuss] [SECURITY] Security issue in lightdm
Alexander Pyhalov
alp at rsu.ru
Wed May 10 14:58:35 UTC 2017
Hello, guys, I have bad news.
We've found that if VNC or XDMCP access was enabled in lightdm, remote
unauthorized user could shutdown or reboot system. The issue was fixed
in
https://github.com/OpenIndiana/oi-userland/commit/97177ec9190d6e81c6bc6dd7ae8e2c3835044e8c
(system/display-manager/lightdm at 1.19.3-2017.0.0.3).
I have a suspicion that this issue also can appear in SRSS environment.
If someone, who desires to run lightdm with SRSS, can setup test system
and check it, we can get a working fix.
For now the mentioned commit disables power actions for all non-local
sessions. We detect non-local sessions as those, which have associated
terminal (/dev/vt/*).
You can disable power actions menu for all sessions, setting
indicators to something like
~spacer;~spacer;~host;~spacer;~session;~a11y;~clock
in /etc/lightdm/lightdm.conf.
The question I have is if we should do it by default...
--
Best regards,
Alexander Pyhalov,
system administrator of Southern Federal University IT department
More information about the openindiana-discuss
mailing list