GDM allows root logins

Bug #484317 reported by Iain Buclaw
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gdm (Ubuntu)
Declined for Lucid by Sebastien Bacher
Declined for Maverick by Sebastien Bacher

Bug Description

Binary package hint: gdm

Steps to reproduce:

1) Create a password for root
2) Logout
3) Login as root

Now, previous versions of Ubuntu prevented a graphical root login in GDM, and I see no reason why this should differ in the new versions.

There has always been a strict setup against graphical root logins, and it seems strange they are now but trivial.

ProblemType: Bug
Architecture: i386
CheckboxSubmission: d6517d529af25e3238a6fedb0ace8960
CheckboxSystem: 669b662da410063cc918e0f60cf6cddf
Date: Tue Nov 17 17:05:36 2009
DistroRelease: Ubuntu 9.10
InstallationMedia: Ubuntu-Netbook-Remix 9.10 "Karmic Koala" - Release i386 (20091028.4)
Package: gdm 2.28.1-0ubuntu1 [modified: usr/lib/gdm/gdm-crash-logger usr/lib/gdm/gdm-simple-slave usr/lib/gdm/gdm-factory-slave usr/lib/gdm/gdm-product-slave usr/lib/gdm/gdm-xdmcp-chooser-slave usr/lib/gdm/gdm-session-worker usr/lib/gdm/gdm-simple-chooser usr/lib/gdm/gdm-host-chooser usr/lib/gdm/gdm-simple-greeter usr/lib/gdm/gdm-user-switch-applet usr/sbin/gdm-binary usr/bin/gdmsetup usr/bin/gdmflexiserver usr/bin/gdm-screenshot]
ProcVersionSignature: Ubuntu 2.6.31-14.48-generic
SourcePackage: gdm
Tags: ubuntu-unr
Uname: Linux 2.6.31-14-generic i686
 (gnome-settings-daemon:7617): GLib-CRITICAL **: g_propagate_error: assertion `src != NULL' failed
 (gnome-settings-daemon:7617): GLib-CRITICAL **: g_propagate_error: assertion `src != NULL' failed
 (nautilus:7650): Eel-CRITICAL **: eel_preferences_get_boolean: assertion `preferences_is_initialized ()' failed
 (polkit-gnome-authentication-agent-1:7701): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed

Revision history for this message
Iain Buclaw (iainb) wrote :
Revision history for this message
Iain Buclaw (iainb) wrote :

Thankfully, the fix is trivial too:

Add the following to /etc/pam.d/gdm
auth required user != root quiet

Patch for the debian build attached.


Revision history for this message
WeatherGod (ben-v-root) wrote :

Iain, I have attempted to reproduce this on Karmic Koala using UNR, but root logins through the gdm is still results in authenication failure for me. How exactly did you set the password for the root account?

Changed in gdm (Ubuntu):
status: New → Incomplete
Revision history for this message
Connor Imes (ckimes) wrote :

I am able to reproduce this on a Lucid box using "sudo passwd root" to enable the root account. I haven't heard that Ubuntu was going to allow root logins through gdm even if the account is enabledf, so I believe this is a bug.
Thanks for your report, Iain.

Changed in gdm (Ubuntu):
importance: Undecided → Medium
status: Incomplete → Triaged
Revision history for this message
Iain Buclaw (iainb) wrote :

Just running "sudo passwd" is enough to set the password.

Actually, after having a sleep on it, would it be useful just to deny uid's < 1000 and the 'nobody' user?


auth required uid >= 1000 quiet
auth required user != nobody quiet

This, I think will restore the original behaviour.


Revision history for this message
Kees Cook (kees) wrote :

Even when a root password was set, gdm (Jaunty and prior) would not allow root to log in:
"The system administrator is not allowed to login from this screen"

This behavior should be restored, but not via pam stack manipulations, as it would lack the gdm-greeter feedback above.

Revision history for this message
Iain Buclaw (iainb) wrote :

@Kees, I agree.

This patch attached should do just that.

It's a slight modification of another part of the gdm code that disallows the showing of system users in the selection screen. Copied it into the do_accredit stage of the user authorisation, tested and it works as expected.

Just putting it in the debian/patches folder will apply it to the build.


Revision history for this message
Iain Buclaw (iainb) wrote :
Revision history for this message
Iain Buclaw (iainb) wrote :

And imported all the relevant translations from gdm-2.20 into gdm-2.28 (using a perl script to grab+insert into files, so there may be error, although I'm confident there isn't).

If anyone has any comments - greatly appreciated. As I'm learning here as much as I am contributing.


Revision history for this message
Iain Buclaw (iainb) wrote :

And with regards to bug #459199, updated to match system uid configuration.

Also, renamed it to "disallow_invalid_login" to better describe what it does.


Revision history for this message
Iain Buclaw (iainb) wrote :

Can someone confirm if this bug is still the case in Lucid? If not, I'll have a prep machine in a few days.

Also, if anyone has any direction on where this is heading, please let me know also. Specifically, does this need patching? Or should the wiki be updated to reflect the new behaviour of GDM?


tags: added: patch
tags: added: ubuntu
removed: apport-bug i386
Revision history for this message
Lenin (gagarin) wrote :

i'm glad it does, ctrl-alt-f1 doesn't seem to work anymore, sometimes

Revision history for this message
Jonathan Reed (jdreed) wrote :

In response to #11, I confirm the bug is still present in Lucid.

jdreed@adjective-animal:~$ apt-cache policy gdm
  Version table:
 *** 0
        500 lucid-updates/main Packages
        100 /var/lib/dpkg/status
     2.30.0-0ubuntu5 0
        500 lucid/main Packages

Revision history for this message
Twisted Lincoln, Inc. (twistedlincoln) wrote :

This behavior should be configurable, rather than forced. While I agree that the default should be to forbid a root login with GDM, one should be able to enable such functionality if they so choose.

Revision history for this message
Olivier Mengué (dolmen) wrote :

This bug is marked "Declined for Maverick by Sebastien Bacher". Can we have an explanation? Is it an Ubuntu policy change regarding root login?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.