[Pkg-xfce-devel] Bug#679872: Bug#679872: lightdm: No access control for lightdm's system bus

Yves-Alexis Perez corsac at debian.org
Mon Jul 2 08:33:22 UTC 2012

On lun., 2012-07-02 at 10:51 +0300, Yair Yarom wrote:
> Package: lightdm
> Version: 1.2.2-1
> Severity: normal
> Dear Maintainer,
> It appears everyone has access to lightdm's system bus, which means
> anyone with remote or local access can cause the seat to change user,
> lock screen or switch to the greeter.

That looks pretty bad indeed.
> I.e. the following commands can be executed by any user
> dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager /org/freedesktop/DisplayManager/Seat0 org.freedesktop.DisplayManager.Seat.SwitchToUser string:user1 string:
> dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager /org/freedesktop/DisplayManager/Seat0 org.freedesktop.DisplayManager.Seat.SwitchToGreeter
These two don't seem to do anything.

> dbus-send --print-reply --system --dest=org.freedesktop.DisplayManager /org/freedesktop/DisplayManager/Seat0 org.freedesktop.DisplayManager.Seat.Lock

This one does “lock” the session (goes back to the greeter). It's
annoying, although at least there's no security issue at first sight.

I'm fowarding this upstream.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20120702/445cc1e2/attachment.pgp>

More information about the Pkg-xfce-devel mailing list