Bug 1956
Summary: | Any user can launch X even if not logged on at console!! | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Chris Evans <chris> |
Component: | XFree86 | Assignee: | David Lawrence <dkl> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6.0 | Keywords: | Security |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 1999-04-07 23:40:35 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Chris Evans
1999-04-02 18:22:58 UTC
This isn't a real security problem per se. I've had occasion to use this 'feature' in the past. If we have time, we may implement a check for if the user is on the console for 6.0, but it really isn't a security concern. If someone does this to you, you call them up and get mad at them. :) If it doesn't make 6.0, it will make post-6.0. In particular, when this happens, it will be done by pamifying xwrapper and making it authenticate against pam_console by default. Then folks can add whatever other authentication they want -- like pam_time, for example... OK, I got time I didn't expect so I did this in time for 6.0 :-) Now sysadmins can set their own policy here without recompiling. Preston, go ahead and close this once the code is built into our XFree86 package. This will be included in XFree86-3.3.3.1-40 and later. |