[OpenIndiana-discuss] [SECURITY] Security issue in lightdm

[Nikola M]

On 05/10/17 04:58 PM, Alexander Pyhalov wrote:
> Hello, guys, I have bad news.
>
> We've found that if VNC or XDMCP access was enabled in lightdm, remote
> unauthorized user could shutdown or reboot system. The issue was fixed
> in
> https://github.com/OpenIndiana/oi-userland/commit/97177ec9190d6e81c6bc6dd7ae8e2c3835044e8c
> (system/display-manager/lightdm at 1.19.3-2017.0.0.3).
>
> I have a suspicion that this issue also can appear in SRSS
> environment. If someone, who desires to run lightdm with SRSS, can
> setup test system and check it, we can get a working fix.
>
> For now the mentioned commit disables power actions for all non-local
> sessions. We detect non-local sessions as those, which have associated
> terminal (/dev/vt/*).
>
> You can disable power actions menu for all sessions, setting
> indicators to something like
> ~spacer;~spacer;~host;~spacer;~session;~a11y;~clock
> in /etc/lightdm/lightdm.conf.
> The question I have is if we should do it by default...

Congrats on the fix, It is great to disable it shutting down before log
in with lightdm remote session , because anyone wanting to do that
remotely, should log in first.

I think that local and-non-local sessions have the same problem. There
is no difference between someone unauthorized shutting down or
restarting machine locally or remotely..
https://www.illumos.org/issues/8167

These are all indications that also 'Power' button should not be in
lightdm login screen by default in the first place. It was strange to me
how fast lightdm appeared there, and since I were not doing fresh
install, but updating, I wasn't aware it is there by default.

I like to put it there IF I set up my workstation laptop installation,
but it should not be there by default in the first place. (First log in,
identify and IF having rights, can do power actions on machine).

I have a SunRay2 and could try setting up SRSS.