Light Display Manager

Re: [Pkg-xfce-devel] Bug#679872: lightdm: No access control for lightdm's system bus

Bug #1020019 reported by Yves-Alexis Perez on 2012-07-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Light Display Manager	New	Undecided	Unassigned
	Debian	New	Undecided	Unassigned

Bug Description

  affects debian
  affects lightdm
  done

On lun., 2012-07-02 at 10:51 +0300, Yair Yarom wrote:
> Package: lightdm
> Version: 1.2.2-1
> Severity: normal
>
> Dear Maintainer,
>
> It appears everyone has access to lightdm's system bus, which means
> anyone with remote or local access can cause the seat to change user,
> lock screen or switch to the greeter.

That looks pretty bad indeed.
>
> I.e. the following commands can be executed by any user
> dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager /org/freedesktop/DisplayManager/Seat0 org.freedesktop.DisplayManager.Seat.SwitchToUser string:user1 string:
>
> dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager /org/freedesktop/DisplayManager/Seat0 org.freedesktop.DisplayManager.Seat.SwitchToGreeter
>
These two don't seem to do anything.

> dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager /org/freedesktop/DisplayManager/Seat0 org.freedesktop.DisplayManager.Seat.Lock

This one does “lock” the session (goes back to the greeter). It's
annoying, although at least there's no security issue at first sight.

I'm fowarding this upstream.

Regards,
--
Yves-Alexis

--
Yves-Alexis

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.