Shutdown permissions

Bug #59397 reported by Mr_Person on 2006-09-07
262
Affects Status Importance Assigned to Milestone
hal (Ubuntu)
Undecided
Unassigned
xfce4-session (Ubuntu)
High
Unassigned

Bug Description

I run an Ubuntu server that people can VNC into. One of my users runs XFCE4 as their window manager and one day discovered that he could shutdown the server by just clicking the "shutdown" button from the XFCE logout menu.

I was pretty surprised that worked because no regular users have permission to issue any shutdown commands either from the command line or using GDM. After some research, I confirmed that HAL is to blame. As far as I can tell, XFCE sends a command to HAL via D-Bus, and it then executes /usr/share/hal/scripts/hal-system-power-shutdown. Since hald-runner (which I'm assuming is responsible for executing HAL scripts) runs as root, it's able to issue shutdown commands without any problems.

This is a pretty big problem for me. I can't have just any user issuing shutdown commands on a shared server. It's also worrying that HAL will execute scripts on behalf of any user as root. Is there any way to restrict what kinds of things HAL will do for users or at least keep it from running scripts as root?

Thanks!

(Question initially asked at: http://ubuntuforums.org/showthread.php?t=252559)

Gauvain Pocentek (gpocentek) wrote :

I think that it's related to Bug #47834. You need to use the kiosk mode to not let users shut down the server. IIRC it doesn't work fine in dapper, but is fixed in Edgy. Could you test?

Gauvain Pocentek (gpocentek) wrote :

See Bug #54034 too.

Mr_Person (mrperson) wrote :

I tested it on both my desktop and the server I administer. Both run Dapper. The change had the desired effect on my desktop but not on my server. I don't know what difference there would be between the two.

Also, even if there is a way to keep XFCE from giving those options, my understanding of the mechanism XFCE was using is that any user could issue a HAL Shutdown command through D-Bus and have it work. Unfortunately, I don't know enough about D-Bus to know if this is true...

This seems like a serious issue. Any updates?

Jani Monoses (jani) wrote :

no updates planned for dapper for now. This is fixed in edgy I think. Updating dapper will be considered depending on when 6.06.2 is planned (no ETA) and on the Xfce 4.4 release date.

Do you still have this issue in Ubuntu Feisty or Gutsy ?

Changed in xfce4-session:
status: New → Incomplete
importance: Undecided → High
Changed in hal:
status: New → Incomplete
Parthan SR (parth-technofreak) wrote :

As there has been no response for so long, this bug is closed as invalid. Please reopen it if you can confirm that it still exists.

Changed in xfce4-session:
status: Incomplete → Invalid
Changed in hal:
status: Incomplete → Invalid
Malcolm Scott (malcscott) wrote :

This bug does still exist in lucid, and is a serious issue for me.

Changed in hal (Ubuntu):
status: Invalid → Confirmed
Changed in xfce4-session (Ubuntu):
status: Invalid → Confirmed
Malcolm Scott (malcscott) wrote :

A workaround is to remove hal, since it's now only used for things which make no sense in a thin client environment (power management, shutdown, volume mounting etc.) -- after doing this there is still a shutdown button in XFCE but it just emits an error dialog.

Lionel Le Folgoc (mrpouit) wrote :

Please don't reopen 4-year-old bug reports, please (this one was about Xfce 4.2, we're at 4.6/4.8 now...). Instead, file a new one which will contain up-to-date info. ;)
Thanks!

Changed in hal (Ubuntu):
status: Confirmed → Invalid
Changed in xfce4-session (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers