Ubuntu
gdm3 package

GDM does not prevent users with login shell /sbin/nologin from logging on

Bug #2039354 reported by Geert Uytterhoeven
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gdm3 (Fedora)
Fix Released
High
gdm3 (Ubuntu)
New
Undecided
Unassigned

Bug Description

Version: 42.0-1ubuntu7.22.04.3
Release: Ubuntu 22.04.3 LTS

A user with login-shell set to /sbin/nologin is still able to login using GDM.

See also https://bugzilla.redhat.com/show_bug.cgi?id=1745147

Tags: jammy
Revision history for this message
In , sfroemer (sfroemer-redhat-bugs) wrote :

Description of problem:
A user with login-shell set to /sbin/nologin is still able to login using GDM

Version-Release number of selected component (if applicable):
gdm-3.28.3-20.el8.x86_64

How reproducible:
100%

Steps to Reproduce:
1. RHEL 8
2. useradd -s /sbin/nologin -m user2
3. login via GDM

Actual results:
The user is able to login

Expected results:
The user should not be able to login

Additional info:
# grep user2 /etc/passwd
user2:x:1001:1001::/home/user2:/sbin/nologin

# w
 17:39:27 up 30 min, 2 users, load average: 0,80, 0,17, 0,07
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root pts/0 172.16.100.100 17:09 1.00s 0.11s 0.01s w
user2 :1 :1 17:39 ?xdm? 16.42s 0.02s /usr/libexec/gdm-x-session gnome-session

# su - user2
Last login: Fr Aug 23 17:39:24 UTC 2019 on tty2
This account is currently not available.

Revision history for this message
In , dchen (dchen-redhat-bugs) wrote :

I can reproduce it with gdm-3.28-3-20.el8.x86_64

Revision history for this message
In , rstrode (rstrode-redhat-bugs) wrote :

So this is an interesting bug.

For console logins, they get the lock out for "free", because they're just handing off to the shell which is /sbin/nologin.

For graphical logins, we're starting a graphical desktop, not the users shell.

We do still run a shell, however, as part of the login process. /usr/bin/gnome-session is a shell script that does:

if [ "x$XDG_SESSION_TYPE" = "xwayland" ] &&
   [ "x$XDG_SESSION_CLASS" != "xgreeter" ] &&
   [ -n "$SHELL" ] &&
   grep -q "$SHELL" /etc/shells &&
   ! (echo "$SHELL" | grep -q "false") &&
   ! (echo "$SHELL" | grep -q "nologin"); then
  if [ "$1" != '-l' ]; then
    exec bash -c "exec -l '$SHELL' -c '$0 -l $*'"
  else
    shift
  fi
fi

See it runs exec -l '$SHELL' to execute the users shell as a "login shell" so all the appropriate startup scripts get run.

But also see it explicitly avoids this step for the "nologin" shell. The reasoning for this is discussed upstream here:

https://bugzilla.gnome.org/show_bug.cgi?id=736660#c58

Namely, the login screen itself uses gnome-session and has its shell set to nologin!

But i think we're still safe to remove the check because we also check XDG_SESSION_CLASS to make sure it's not a login screen before proceeding.
In other words, we had redundant checks to skip the script loading for the login screen and dropping one shouldn't hurt anything.

Dropping it, will mean that we try to run nologin as the users shell during login. it will fail and login will be aborted which is the desired behavior.

devack+

Revision history for this message
In , errata-xmlrpc (errata-xmlrpc-redhat-bugs) wrote :

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1766

Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Daniel van Vugt (vanvugt)
tags: added: jammy
Bug Watch Updater (bug-watch-updater)
Changed in gdm3 (Fedora):
importance: Unknown → High
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.