|Summary:||Any user can launch X even if not logged on at console!!|
|Product:||[Retired] Red Hat Linux||Reporter:||Chris Evans <chris>|
|Component:||XFree86||Assignee:||David Lawrence <dkl>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||1999-04-07 23:40:35 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Chris Evans 1999-04-02 18:22:58 UTC
This is irritating if nothing else. Why should a user be able to telnet in, type "startx", and affect the console? As a quick hack around this "Xwrapper" could be modified to reject the request to start up X unless the process in on a virtual console (tty1 etc.)
Comment 1 michael 1999-04-05 00:42:59 UTC
This isn't a real security problem per se. I've had occasion to use this 'feature' in the past.
Comment 2 Preston Brown 1999-04-05 20:30:59 UTC
If we have time, we may implement a check for if the user is on the console for 6.0, but it really isn't a security concern. If someone does this to you, you call them up and get mad at them. :) If it doesn't make 6.0, it will make post-6.0.
Comment 3 Michael K. Johnson 1999-04-05 20:43:59 UTC
In particular, when this happens, it will be done by pamifying xwrapper and making it authenticate against pam_console by default. Then folks can add whatever other authentication they want -- like pam_time, for example...
Comment 4 Michael K. Johnson 1999-04-07 23:16:59 UTC
OK, I got time I didn't expect so I did this in time for 6.0 :-) Now sysadmins can set their own policy here without recompiling. Preston, go ahead and close this once the code is built into our XFree86 package.
Comment 5 Preston Brown 1999-04-07 23:40:59 UTC
This will be included in XFree86-126.96.36.199-40 and later.