In /usr/share/config/kdm/kdmrc: the AllowShutdown entry appears in the sections
[X-*-Greeter] AllowShutdown=Root ... [X-:*-Greeter] AllowShutdown=All instead of [X-*-Core] AllowShutdown=Root ... [X-:*-Core] AllowShutdown=All The result is that kdm assumes the entry is missing and defaults to [X-*-Core] AllowShutdown=All ... [X-:*-Core] AllowShutdown=All thereby allowing any user on a *remote* X display to shut down or reboot the machine without having to supply the root password. This bug is present in kdebase-3.0.1-10mdk.i586.rpm (latest Cooker release). [ I tried to use Bugzilla to report this, but the Bugzilla system is unusable for many different reasons. ] Michael Brown http://www.fensystems.co.uk
