[OpenIndiana-discuss] [SECURITY] Security issue in lightdm

Nikola M minikola at gmail.com
Sun May 14 06:24:57 UTC 2017


On 05/13/17 09:38 PM, Jim Klimov wrote:
>
>> I like to put it there IF I set up my workstation laptop installation,
>> but it should not be there by default in the first place. (First log
>> in,
>> identify and IF having rights, can do power actions on machine).
>>
>> I have a SunRay2 and could try setting up SRSS.
> I am not sure it is always a problem locally, considering hardware security (e.g. a local user has access to power button or cord of a server/workstation, though not to that of a vandal-protected kiosk), and for some deployments it may be better to let trigger graceful shutdowns quickly than to suffer a full login. Better have this ability togglable though, to suit everyone.
>
> FWIW, the Windows pre-login interface also has a button/menu to restart/shutdown/hibernate... the PC.

Luckily it is solved now: https://www.illumos.org/issues/8167
(There's also the longer explanation)
I think I should be able to catch this before (IRC reporing), but
haven't been testing installable media before lightdm inclusion in Oi
201610 snapshot.

As the target audience is server and workstation usage of Openindiana,
for both of them is unacceptable to have ability to power down machine
with working processes , without authorization and that can  disrupt
many hours (or days) of someone's work and important services.

We are long past AT-power PC days with power supplies that were powering
down machine without sending a signal to the OS to shut it down.
Talk about physical access in datacenter, is unrelated to the issue of
having software power button.

Yes, everyone have a possibility to enable power button (just add ;power
to indicators= in /etc/lightdm/lightdm-gtk-greeter.conf) but doesn't
need to have it on Openindiana servers and workstations by default.




More information about the openindiana-discuss mailing list