Bug 882385
Summary: | Something is logging in under gdm account | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Steve Grubb <sgrubb> |
Component: | gdm | Assignee: | Ray Strode [halfline] <rstrode> |
Status: | CLOSED UPSTREAM | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | high | ||
Version: | 18 | CC: | jrieden, rstrode |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-02-04 16:50:46 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 853068 |
Description
Steve Grubb
2012-11-30 20:10:30 UTC
Anyone looking into this? The audit trail still shows something is logging in under the gdm account when nothing should be. This seems to coincide with a user logging in. Thanks. the login screen runs in its own confined session. these sessions are visible with $ loginctl list-sessions SESSION UID USER SEAT 1 42 gdm seat0 $ loginctl show-session 1 Id=1 Timestamp=Fri, 2013-02-01 13:22:28 EST TimestampMonotonic=8555777424 DefaultControlGroup=name=systemd:/user/gdm/1 VTNr=1 Display=:0 Remote=no Service=gdm-launch-environment Leader=4272 Audit=1 Type=x11 Class=greeter Active=yes State=active KillProcesses=no IdleHint=no IdleSinceHint=0 IdleSinceHintMonotonic=0 Name=gdm Note, the login class is "greeter". We could remove pam_loginuid from /etc/pam.d/gdm-launch-environment but then I fear logind would not be able to track login sessions anymore. The loginuid is for actual logins by people. Its not intended for system use. All daemons should have loginuid set to -1, meaning that its a system process and not related to activity by a person. The only times that daemons or system processes should have a loginuid other than -1 is when an account has been hacked. Meaning that perhaps due to a misconfiguration, ftp (or any system account) has a valid shell instead of nologin and someone tried it at a login prompt and got system access. This is used by intrusion detection systems to identify suspicious system activity. pam_loginuid should be placed in a point where a user is logging in and has already gave their password for their account. This used to be working correctly back in F-14, not sure when it changed, but its definitely wrong now. Thanks. I've done a little testing and logind seems to be able to cope with login session not having kernel session ids. I've pushed this: http://git.gnome.org/browse/gdm/commit/?id=f46bd9712e9452068199ceb44ed414cb8e408ce7 We may have to revisit this later if problems crop up. |