[Pkg-xfce-devel] Bug#679872: Bug#679872: lightdm: No access control for lightdm's system bus
Yves-Alexis Perez
corsac at debian.org
Mon Jul 2 08:33:22 UTC 2012
On lun., 2012-07-02 at 10:51 +0300, Yair Yarom wrote:
> Package: lightdm
> Version: 1.2.2-1
> Severity: normal
>
> Dear Maintainer,
>
> It appears everyone has access to lightdm's system bus, which means
> anyone with remote or local access can cause the seat to change user,
> lock screen or switch to the greeter.
That looks pretty bad indeed.
>
> I.e. the following commands can be executed by any user
> dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager /org/freedesktop/DisplayManager/Seat0 org.freedesktop.DisplayManager.Seat.SwitchToUser string:user1 string:
>
> dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager /org/freedesktop/DisplayManager/Seat0 org.freedesktop.DisplayManager.Seat.SwitchToGreeter
>
These two don't seem to do anything.
> dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager /org/freedesktop/DisplayManager/Seat0 org.freedesktop.DisplayManager.Seat.Lock
This one does “lock” the session (goes back to the greeter). It's
annoying, although at least there's no security issue at first sight.
I'm fowarding this upstream.
Regards,
--
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20120702/445cc1e2/attachment.pgp>
More information about the Pkg-xfce-devel
mailing list