Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1956 - Any user can launch X even if not logged on at console!!
Any user can launch X even if not logged on at console!!
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: XFree86 (Show other bugs)
6.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: David Lawrence
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-04-02 13:22 EST by Chris Evans
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-04-07 19:40:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Chris Evans 1999-04-02 13:22:58 EST 
This is irritating if nothing else. Why should a user be
able to telnet in, type "startx", and affect the console?

As a quick hack around this "Xwrapper" could be modified to
reject the request to start up X unless the process in on a
virtual console (tty1 etc.)
Comment 1 michael 1999-04-04 20:42:59 EDT 
This isn't a real security problem per se. I've had occasion
to use this 'feature' in the past.
Comment 2 Preston Brown 1999-04-05 16:30:59 EDT 
If we have time, we may implement a check for if the user is on the
console for 6.0, but it really isn't a security concern.  If someone
does this to you, you call them up and get mad at them. :)

If it doesn't make 6.0, it will make post-6.0.
Comment 3 Michael K. Johnson 1999-04-05 16:43:59 EDT 
In particular, when this happens, it will be done by pamifying
xwrapper and making it authenticate against pam_console by default.
Then folks can add whatever other authentication they want -- like
pam_time, for example...
Comment 4 Michael K. Johnson 1999-04-07 19:16:59 EDT 
OK, I got time I didn't expect so I did this in time for 6.0 :-)
Now sysadmins can set their own policy here without recompiling.
Preston, go ahead and close this once the code is built into our
XFree86 package.
Comment 5 Preston Brown 1999-04-07 19:40:59 EDT 
This will be included in XFree86-3.3.3.1-40 and later.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.