Package: lightdm Version: 1.32.0-6+b1 Severity: grave Justification: user security hole X-Debbugs-Cc: f...@axnet.nu
dist-upgrading Feb 5 2025 using autologin with lightdm with the attached config in particular setting autologin-session=lightdm-autologin in /etc/lightdm/lightdm.conf we get the following error: Xsession: unable to launch "env AUTOLOGIN=yes /etc/X11/Xsession" X session --- "env AUTOLOGIN=yes /etc/X11/Xsession" not found; falling back to default due to the Exec-statement in /usr/share/xsessions/lightdm-autologin.desktop Exec=env AUTOLOGIN=yes /etc/X11/Xsession However, /etc/X11/Xsession will be launced anyway wich is a user security problem / hole since AUTOLOGIN=yes is not set and the user will not know that it should take height for the session being an AUTOLOGIN session, e.g. by immediately locking the screen in case of unattended reboot / start-up, potentially leaving the session wide open giving access to everybody having physical access to the computer. The soloution would be as simple as fixing /usr/share/xsessions/lightdm-autologin.desktop to actually exporting AUTOLOGIN=yes before launching /etc/X11/Xsession, e.g. by an executable wrapper: ~~~ /etc/X11/Xsession-AUTOLOGIN ~~~ #!/bin/sh AUTOLOGIN=yes export AUTOLOGIN exec /etc/X11/Xsession ~~~ Setting Exec=/etc/X11/Xsession-AUTOLOGIN in /usr/share/xsessions/lightdm-autologin.desktop -- System Information: Debian Release: trixie/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.12.11-amd64 (SMP w/16 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=sv_SE.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lightdm depends on: ii adduser 3.137 ii dbus 1.16.0-1 ii debconf [debconf-2.0] 1.5.89 ii libaudit1 1:4.0.2-2+b1 ii libc6 2.40-6 ii libgcrypt20 1.11.0-7 ii libglib2.0-0t64 2.82.4-2 ii libpam-systemd [logind] 257.2-3 ii libpam0g 1.7.0-2 ii libxcb1 1.17.0-2+b1 ii libxdmcp6 1:1.1.5-1 ii lightdm-gtk-greeter [lightdm-greeter] 2.0.9-1 Versions of packages lightdm recommends: ii xserver-xorg 1:7.7+24 Versions of packages lightdm suggests: ii accountsservice 23.13.9-7 ii upower 1.90.7-1 ii xserver-xephyr 2:21.1.15-2 -- Configuration Files: /etc/lightdm/lightdm.conf changed: [LightDM] [Seat:*] greeter-hide-users=false greeter-show-manual-login=false greeter-show-remote-login=false allow-user-switching=true display-setup-script=/etc/lightdm/fraxdisplaysetup.sh autologin-user=frax autologin-user-timeout=0 autologin-session=lightdm-autologin [XDMCPServer] [VNCServer] /etc/lightdm/users.conf changed: [UserList] minimum-uid=1366 hidden-users=nobody nobody4 noaccess hidden-shells=/bin/false /usr/sbin/nologin /etc/pam.d/lightdm changed: auth requisite pam_nologin.so session required pam_env.so readenv=1 session required pam_env.so readenv=1 envfile=/etc/default/locale auth [success=1 default=ignore] pam_unix.so nullok try_first_pass auth requisite pam_deny.so auth required pam_permit.so -auth optional pam_gnome_keyring.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session required pam_limits.so session required pam_loginuid.so @include common-session session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open -session optional pam_gnome_keyring.so auto_start @include common-password -- debconf information: * shared/default-x-display-manager: lightdm lightdm/daemon_name: /usr/sbin/lightdm
