ldm logs users with non-default login shell in as root
Bug #1839431 reported by
Veeti Veteläinen
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
LTSP5 |
Fix Released
|
High
|
Vagrant Cascadian |
Bug Description
Steps to reproduce:
1. Change a user's login shell to /usr/bin/* (for ex. /usr/bin/fish) on the ltsp server
2. Login on a client as that user.
3. You should be logged in as root.
I didn't test if this happens with other shells than bash in /bin
CVE References
information type: | Private Security → Public Security |
To post a comment you must log in.
Tested on Debian Buster. Seems to only happen on a fat client with some
shells. On thin clients, it simply fails to log in. Possibly related to:
https:/ /bugs.debian. org/490897
Confirmed behavior logging in as root:
fish, tcsh, csh
Following shells log in as the correct user:
zsh, dash, /bin/sh (as dash), bash, mksh, ksh
Login hangs due to some unrelated problem:
sash
With some shells, the LDM_USERNAME environment variable remains unset, ldm/rc. d/X95-run- x-session ends up calling:
and so in /usr/share/
su - ${LDM_USERNAME} ...
And ends up as root.
The quick fix would be to check if LDM_USERNAME is set and at least
error out if so, rather than granting root.
Still would be better to identify exactly where in the code we're
expecting LDM_USERNAME to be set and fix it or error out there.
live well,
vagrant