The ability to reboot the machine is controlled via policykit; for more
details, see http://askubuntu.com/questions/1190/how-can-i-make-
shutdown-not-require-admin-password -- this answer looks particularly
nice: http://askubuntu.com/a/486425/33812
Thanks
** Changed in: lightdm (Ubuntu)
Status: New => Invalid
** Information type changed from Private Security to Public
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1342047
Title:
lightdm allows unprivileged remote users to shutdown or reboot machine
Status in “lightdm” package in Ubuntu:
Invalid
Bug description:
During work with setting up a terminal server running NoMachine Cloud
Server (nomachine.com), I discovered that unprivileged users (no sudo
rights) can shutdown and reboot the server. This was tested on Xubuntu
and Lubuntu (both 14.04), since Unity does not work through NoMachine.
Further research showed that the shutdown/reboot buttons in the logout
dialog allows anybody to shutdown/reboot the machine, when lightdm is
running on the machine. It should be made absolutely clear, that this
is with a normal user, without sudo or any special rights/permissions,
logged in through NoMachine Enterprise Client from a remote computer.
The user is not asked for credentials for an admin account or
anything. Pressing the shutdown button, in the logout dialog just
shuts down the terminal server. If I stop the lightdm service,
unprivileged users can no longer shutdown the machine. This seems to
indicate that lightdm believes users logged in through NoMachine are
local users, that should be allowed to shutdown the machine. I realize
that at server, even a terminal server, shouldn't run something like
lightdm, which is made for normal desktop machines, where the user is
expected to sit in front of the hardware and should thus be allowed to
shutdown the machine. But this still seems like a security issue to
me. Lightdm should not allow unprivileged users, not physically
present at the machine, to shut it down.
Steps to recreate:
1. Create a virtual machine in Virtualbox, set network to bridged!
2. Install Xubuntu or Lubuntu 14.04
3. Download and install NoMachine Cloud Server from
https://www.nomachine.com/download-enterprise
3a. If using Lubuntu, edit /usr/NX/etc/node.cfg and replace line that starts
with "DefaultDesktopCommand" with: DefaultDesktopCommand "/usr/bin/lxsession -s
Lubuntu -e LXDE"
4. Install NoMachine Enterprise Client from before mentioned URL on local
machine (not the VM)
5. Add a user on the VM with "adduser <username>"
6. Start NoMachine Enterprise Client and add a connection to the VM with all
default settings.
7. Login with the user you added. Choose "New virtual desktop" and "Create a
new Ubuntu virtual Desktop" when asked during login.
8. Open logout dialog and choose shutdown
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: lightdm 1.10.1-0ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-30.55-generic 3.13.11.2
Uname: Linux 3.13.0-30-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.2
Architecture: amd64
CurrentDesktop: Unity
Date: Tue Jul 15 11:03:40 2014
InstallationDate: Installed on 2014-04-23 (82 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
SourcePackage: lightdm
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1342047/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
