[Pkg-xfce-devel] Bug#781080: marked as done (lightdm: allows login as root by default)

[Debian Bug Tracking System]

Your message dated Fri, 27 Mar 2015 21:32:44 +0100
with message-id <1427488364.25801.58.ca...@debian.org>
and subject line Re: [Pkg-xfce-devel] Bug#781080: lightdm: allows login as root 
by default
has caused the Debian Bug report #781080,
regarding lightdm: allows login as root by default
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
781080: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781080
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Package: lightdm
Version: 1.10.3-3
Severity: normal

Dear Maintainer,

until today I had not even tried this, when I typed 'root' and the password 
into the
lightdm-mask instead of into VT-4-login.

I was quite surprised, that lightdm allows root-login, I also did not find, 
where to
switch this off in the text-configuration.

I have tried some things about X-login, but a root-session from lightdm is 
clearly not
what I wanted.

In my opinion this is *INSECURE*, if I need graphical root-access, then I start 
thunar
for instance from the terminal, saying 'sudo thunar', but having a completely
root-Xsession is most probably not recommended at all.

Please revert this to normal and add a configuration-option to enable it, if 
hackers need
the it in order to test X-security.  

Maybe this is related to systemd.



- -- System Information:
Debian Release: 8.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.7-ckt7edtp (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: sysvinit (via /sbin/init)

Versions of packages lightdm depends on:
ii  adduser                                3.113+nmu3
ii  consolekit                             0.4.6-5
ii  dbus                                   1.8.16-1
ii  debconf [debconf-2.0]                  1.5.56
ii  libc6                                  2.19-15
ii  libgcrypt20                            1.6.2-4+b1
ii  libglib2.0-0                           2.42.1-1
ii  libpam-systemd                         215-12
ii  libpam0g                               1.1.8-3.1
ii  libxcb1                                1.10-3+b1
ii  libxdmcp6                              1:1.1.1-1+b1
ii  lightdm-gtk-greeter [lightdm-greeter]  1.8.5-2

Versions of packages lightdm recommends:
ii  xserver-xorg  1:7.7+7

Versions of packages lightdm suggests:
ii  accountsservice  0.6.37-3+b1
ii  upower           0.99.1-3.1

- -- debconf information:
* shared/default-x-display-manager: lightdm
  lightdm/daemon_name: /usr/sbin/lightdm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlURIv0ACgkQ5+rBHyUt5wu7WwCgrU6OFQNk1a7onAULMGK5/T4u
v0oAoMMW/ZDQpzcW+7pdkg07gJJ6wlAi
=BD1o
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

control: tag -1 wontfix
On mar., 2015-03-24 at 09:40 +0100, Andreas Glaeser wrote:
> until today I had not even tried this, when I typed 'root' and the password 
> into the
> lightdm-mask instead of into VT-4-login.
> 
> I was quite surprised, that lightdm allows root-login, I also did not find, 
> where to
> switch this off in the text-configuration.

As far as I can tell, Debian has always authorized graphical root login,
same as console login.
> 
> I have tried some things about X-login, but a root-session from lightdm is 
> clearly not
> what I wanted.

Then don't do it?
> 
> In my opinion this is *INSECURE*, if I need graphical root-access, then I 
> start thunar
> for instance from the terminal, saying 'sudo thunar', but having a completely
> root-Xsession is most probably not recommended at all.

Then again, don't do it?
> 
> Please revert this to normal and add a configuration-option to enable it, if 
> hackers need
> the it in order to test X-security.  

There is nothing to revert, this is the default behavior. If you don't
want a root user, you're free to disable it (the installer even has an
option for that, afair).

You can disallow root login on local X displays by
editing /etc/securetty and removing them from the list. You can also
tune the PAM configuration in /etc/pam.d, see pam documentation.
> 
> Maybe this is related to systemd.

Completely unrelated.
-- 
Yves-Alexis

signature.asc
Description: This is a digitally signed message part

--- End Message ---

_______________________________________________
Pkg-xfce-devel mailing list
Pkg-xfce-devel@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-xfce-devel