Bug 51318
Summary: | startx in rc.local runs X as root w/out a password | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Sean Mahan <sean.mahan> |
Component: | XFree86-Servers | Assignee: | Mike A. Harris <mharris> |
Status: | CLOSED NOTABUG | QA Contact: | David Lawrence <dkl> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.1 | Keywords: | Security |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i586 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2001-08-09 13:28:06 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Sean Mahan
2001-08-09 13:28:02 UTC
Um, the graphical login will *never* come up as a result of running startx. It's a consequence of running gdm, xdm, or kdm. Yeah, I figured that but put startx in your rc.local and it runs the command startx at boot and since rc.local runs any extra commands that you put in there as root it runs the command startx as root which, obviously, starts X. So, in other words it gives you an X session as root regardless of whether or not you are root or can even log in as root. Try it and you'll see what I mean. It's not a programmatic bug, I believe that it's a security issue. No, it is not a programmatical bug, and no it is not a security issue at all in any way shape or form. 1) Only root can edit rc.local 2) Root can put whatever he/she chooses in rc.local Instead of startx, consider what would happen if root put this in rc.local: rm -rf / That illustrates why this is not a security issue. root can put whatever they like in there. It is up to root to put sensible commands in the initscripts. startx is *not* a sensible thing to put in there in a secure environment. Solution: fire root |