On lun., 2012-07-02 at 10:51 +0300, Yair Yarom wrote: > Package: lightdm > Version: 1.2.2-1 > Severity: normal > > Dear Maintainer, > > It appears everyone has access to lightdm's system bus, which means > anyone with remote or local access can cause the seat to change user, > lock screen or switch to the greeter.
That looks pretty bad indeed. > > I.e. the following commands can be executed by any user > dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager > /org/freedesktop/DisplayManager/Seat0 > org.freedesktop.DisplayManager.Seat.SwitchToUser string:user1 string: > > dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager > /org/freedesktop/DisplayManager/Seat0 > org.freedesktop.DisplayManager.Seat.SwitchToGreeter > These two don't seem to do anything. > dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager > /org/freedesktop/DisplayManager/Seat0 org.freedesktop.DisplayManager.Seat.Lock This one does “lock” the session (goes back to the greeter). It's annoying, although at least there's no security issue at first sight. I'm fowarding this upstream. Regards, -- Yves-Alexis
signature.asc
Description: This is a digitally signed message part