Bug#679872: lightdm: No access control for lightdm's system bus

Mon, 02 Jul 2012 01:03:19 -0700 

Package: lightdm
Version: 1.2.2-1
Severity: normal

Dear Maintainer,

It appears everyone has access to lightdm's system bus, which means
anyone with remote or local access can cause the seat to change user,
lock screen or switch to the greeter.

I.e. the following commands can be executed by any user
dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager 
/org/freedesktop/DisplayManager/Seat0 
org.freedesktop.DisplayManager.Seat.SwitchToUser string:user1 string:

dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager 
/org/freedesktop/DisplayManager/Seat0 
org.freedesktop.DisplayManager.Seat.SwitchToGreeter

dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager 
/org/freedesktop/DisplayManager/Seat0 org.freedesktop.DisplayManager.Seat.Lock

On a multiuser or multiseat environment, this might be problematic. I
think it should be limited to the active session and/or current seat. 

Regards,
    Yair.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.3.5-aufs-1 (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages lightdm depends on:
ii  adduser                3.113+nmu3
ii  consolekit             0.4.5-3
ii  dbus                   1.5.12-1
ii  debconf [debconf-2.0]  1.5.43
ii  libc6                  2.13-33
ii  libglib2.0-0           2.32.3-1
ii  libpam0g               1.1.3-7.1
ii  libxcb1                1.8.1-1
ii  libxdmcp6              1:1.1.1-1
ii  lightdm-gtk-greeter    1.1.6-1
ii  lightdm-qt-greeter     1.0.11-1

Versions of packages lightdm recommends:
ii  xserver-xorg  1:7.6+13

Versions of packages lightdm suggests:
ii  accountsservice  0.6.15-4

-- Configuration Files:
/etc/init.d/lightdm [Errno 2] No such file or directory: u'/etc/init.d/lightdm'
/etc/lightdm/lightdm.conf changed [not included]
/etc/pam.d/lightdm changed [not included]

-- debconf information:
  lightdm/daemon_name: /usr/sbin/lightdm
* shared/default-x-display-manager: lightdm



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to