Red Hat Bugzilla – Bug 1269917
lxdm: X server authorizations are not revoked after user log out
Last modified: 2016-07-19 14:09:23 EDT
Quoting from the report I sent upstream: lxdm does not restart X server after user log out. It also does not seem to do anything to revoke granted authorizations. So the following attack is possible on multi-user systems: - User1 logs in via lxdm. During the session start up, authentication cookie is copied to user1's .Xauthority. - User1 logs out. - As X server is not restarted and X server authentication cookies are not regenerated, user1 can still connect via text console or remotely via SSH and start X applications on the X server. - No authentication cookie change happens after log in of some other user2, so user1 can also mess with user2's session. Besides MIT-MAGIC authentication cookies, there are other authorizations that may need to be cleaned up. For example, user1 can run 'xhost +si:localuser:`id -un`' while they are logged in. That makes X server accept connections from given local user regardless of whether they have valid cookie or not. This authorization is also not revoked after user log out. At least in Fedora, 'xhost +si:localuser:`id -un`' is run when initializing user's X session. Version-Release number of selected component (if applicable): Tested with 0.4.1 in F22, but also with the 0.5.1-7.D20151007gite8f38708 from master rebuilt for F22.
Upstream pointed out that it's already possible to have lxdm restart X server after user logout by setting reset = 1 in the [server] section of the lxdm.conf. This functionality is available in Fedora 0.4.1 packages. Upstream also explained they default to no X restart to have faster and smoother logout. The issue is also pretty minor on single user machines. However, I'm not convinced Fedora should only assume it's only used in such use cases and default to safer reset=1. I see other *DMs (gdm, kdm, lightdm) do X restarts as well.
Making this public.
lxdm-0.5.3-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2015-e3ec4cbf8f
lxdm-0.5.3-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with $ su -c 'dnf --enablerepo=updates-testing update lxdm' You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-e3ec4cbf8f
lxdm-0.5.3-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.