Bug 1956 - Any user can launch X even if not logged on at console!!
Any user can launch X even if not logged on at console!!
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: XFree86 (Show other bugs)
6.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-04-02 13:22 EST by Chris Evans
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-04-07 19:40:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Evans 1999-04-02 13:22:58 EST
This is irritating if nothing else. Why should a user be
able to telnet in, type "startx", and affect the console?

As a quick hack around this "Xwrapper" could be modified to
reject the request to start up X unless the process in on a
virtual console (tty1 etc.)
Comment 1 michael 1999-04-04 20:42:59 EDT
This isn't a real security problem per se. I've had occasion
to use this 'feature' in the past.
Comment 2 Preston Brown 1999-04-05 16:30:59 EDT
If we have time, we may implement a check for if the user is on the
console for 6.0, but it really isn't a security concern.  If someone
does this to you, you call them up and get mad at them. :)

If it doesn't make 6.0, it will make post-6.0.
Comment 3 Michael K. Johnson 1999-04-05 16:43:59 EDT
In particular, when this happens, it will be done by pamifying
xwrapper and making it authenticate against pam_console by default.
Then folks can add whatever other authentication they want -- like
pam_time, for example...
Comment 4 Michael K. Johnson 1999-04-07 19:16:59 EDT
OK, I got time I didn't expect so I did this in time for 6.0 :-)
Now sysadmins can set their own policy here without recompiling.
Preston, go ahead and close this once the code is built into our
XFree86 package.
Comment 5 Preston Brown 1999-04-07 19:40:59 EDT
This will be included in XFree86-3.3.3.1-40 and later.

Note You need to log in before you can comment on or make changes to this bug.