Bug 1956 - Any user can launch X even if not logged on at console!!
Summary: Any user can launch X even if not logged on at console!!
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: XFree86
Version: 6.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: David Lawrence
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-04-02 18:22 UTC by Chris Evans
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 1999-04-07 23:40:35 UTC
Embargoed:


Attachments (Terms of Use)

Description Chris Evans 1999-04-02 18:22:58 UTC
This is irritating if nothing else. Why should a user be
able to telnet in, type "startx", and affect the console?

As a quick hack around this "Xwrapper" could be modified to
reject the request to start up X unless the process in on a
virtual console (tty1 etc.)

Comment 1 michael 1999-04-05 00:42:59 UTC
This isn't a real security problem per se. I've had occasion
to use this 'feature' in the past.

Comment 2 Preston Brown 1999-04-05 20:30:59 UTC
If we have time, we may implement a check for if the user is on the
console for 6.0, but it really isn't a security concern.  If someone
does this to you, you call them up and get mad at them. :)

If it doesn't make 6.0, it will make post-6.0.

Comment 3 Michael K. Johnson 1999-04-05 20:43:59 UTC
In particular, when this happens, it will be done by pamifying
xwrapper and making it authenticate against pam_console by default.
Then folks can add whatever other authentication they want -- like
pam_time, for example...

Comment 4 Michael K. Johnson 1999-04-07 23:16:59 UTC
OK, I got time I didn't expect so I did this in time for 6.0 :-)
Now sysadmins can set their own policy here without recompiling.
Preston, go ahead and close this once the code is built into our
XFree86 package.

Comment 5 Preston Brown 1999-04-07 23:40:59 UTC
This will be included in XFree86-3.3.3.1-40 and later.


Note You need to log in before you can comment on or make changes to this bug.