users can login to others running accounts using CTRL+ALT+F7

All Gurus once were Newbies
Forum rules
There are no such things as "stupid" questions. However if you think your question is a bit stupid, then this is the right place for you to post it. Please stick to easy to-the-point questions that you feel people can answer fast. For long and complicated questions prefer the other forums within the support section.
Before you post please read how to get help

users can login to others running accounts using CTRL+ALT+F7

Postby FerroPower on Tue Sep 25, 2012 6:59 pm

hi There,
I need to point ONE BIG Security LOOPHOLE in LINUX MINT Debian Edition. I have beed using LMDE since past one years installing all updates and working perfectly fine. I have other Linux Flavours as well in my other partition. but since my question might sound newbie to experts I am posting it here.

The LOOPHOLE in LinuxMint is related to Users Logged on. Suppose user 'A' is user with sudo power AND user 'B' dont have sudo power.

The Problem arises when User "A" is logged in graphical session and for some reasons he keeps his account running due to some unfinished jobs in running but since he DONT want anyone to view his Data he uses the option to LogOut > Switch User so whenever anyone wants to access his account he is prompted his passwords.
BUT a BIG bug in LMDE allows user "B" to log into user "A" account. for example user 'B' log into his own account and press key combination ctrl+alt+F7 which AUTOMATICALLY LOGS user 'B' into user 'A's DESKTOP WITHOUT PROMPTING for user 'A' PASSWORD..

the only way to safeguard such logins is to Logout COMPLETELY when you are not physically present on your machine so CTRL+AlT+F7 & CTRL+ATL+F8 dont log others into your account.

I only wish to know if such problems arises on your LMDE edition or my LMDE OS is compromised with some bug.

if its a BUG in LMDE I only wish to bring to Developers notice. Thanks...
FerroPower
Level 1
Level 1
 
Posts: 20
Joined: Fri Oct 21, 2011 12:28 pm

Linux Mint is funded by ads and donations.
 

Re: users can login to others running accounts using CTRL+AL

Postby HughT on Wed Sep 26, 2012 4:29 am

hi FerroPower, I'm using main edition Mint, so can't replicate your finding, But it could just depend on the permissions set for the two users. For example, if they are both in the same group, then you'd expect user B to have read-only access to user A. Perhaps you'd check that. Otherwise it's a problem that needs reporting, regards
Please Edit your post title and add [SOLVED] once your question is resolved.
HughT
Level 5
Level 5
 
Posts: 628
Joined: Thu Oct 20, 2011 1:54 pm
Location: England

Re: users can login to others running accounts using CTRL+AL

Postby FerroPower on Wed Sep 26, 2012 9:10 am

Thanks for reply HughT,

I have got archlinux running perfectly where Password prompt is displayed when when user B tries to acces user A desktop by pressing CTRL+ALT+F7. I don't understand whats wrong with my system then. or is it LMDE bug.
FerroPower
Level 1
Level 1
 
Posts: 20
Joined: Fri Oct 21, 2011 12:28 pm

Re: users can login to others running accounts using CTRL+AL

Postby HughT on Wed Sep 26, 2012 9:18 am

So what are the permissions for each user? Are they the same group?
Please Edit your post title and add [SOLVED] once your question is resolved.
HughT
Level 5
Level 5
 
Posts: 628
Joined: Thu Oct 20, 2011 1:54 pm
Location: England

Re: users can login to others running accounts using CTRL+AL

Postby FerroPower on Wed Sep 26, 2012 10:09 am

no they are not.
FerroPower
Level 1
Level 1
 
Posts: 20
Joined: Fri Oct 21, 2011 12:28 pm

Re: users can login to others running accounts using CTRL+AL

Postby naughty_bit on Wed Sep 26, 2012 10:50 am

can you go to startup services and find xhost +?
Change it to - restart and check if it does same.
naughty_bit
Level 1
Level 1
 
Posts: 44
Joined: Fri Sep 07, 2012 6:33 am

Re: users can login to others running accounts using CTRL+AL

Postby FerroPower on Wed Sep 26, 2012 12:40 pm

naughty_bit wrote:can you go to startup services and find xhost +?
Change it to - restart and check if it does same.



There is one xhost + command in StartUp Applications which command to execute ? just - restart or "xhost -restart"
FerroPower
Level 1
Level 1
 
Posts: 20
Joined: Fri Oct 21, 2011 12:28 pm

Re: users can login to others running accounts using CTRL+AL

Postby naughty_bit on Wed Sep 26, 2012 12:46 pm

FerroPower wrote:There is one xhost + command in StartUp Applications which command to execute ? just - restart or "xhost -restart"


Change the command to xhost - and restart x or just restart PC
naughty_bit
Level 1
Level 1
 
Posts: 44
Joined: Fri Sep 07, 2012 6:33 am

Re: users can login to others running accounts using CTRL+AL

Postby FerroPower on Wed Sep 26, 2012 1:06 pm

naughty_bit wrote:
FerroPower wrote:There is one xhost + command in StartUp Applications which command to execute ? just - restart or "xhost -restart"


Change the command to xhost - and restart x or just restart PC



I did as you told but it isn't working same as before. Do you think the system is compromised ? or something
FerroPower
Level 1
Level 1
 
Posts: 20
Joined: Fri Oct 21, 2011 12:28 pm

Re: users can login to others running accounts using CTRL+AL

Postby naughty_bit on Wed Sep 26, 2012 1:09 pm

FerroPower wrote:I did as you told but it isn't working same as before. Do you think the system is compromised ? or something



So is it fixed or not?

No, I don't think its compromised. Just weird defaults.
naughty_bit
Level 1
Level 1
 
Posts: 44
Joined: Fri Sep 07, 2012 6:33 am

Re: users can login to others running accounts using CTRL+AL

Postby FerroPower on Wed Sep 26, 2012 1:31 pm

naughty_bit wrote:
FerroPower wrote:I did as you told but it isn't working same as before. Do you think the system is compromised ? or something



So is it fixed or not?

No, I don't think its compromised. Just weird defaults.



Not Fixed.
FerroPower
Level 1
Level 1
 
Posts: 20
Joined: Fri Oct 21, 2011 12:28 pm

Re: users can login to others running accounts using CTRL+AL

Postby naughty_bit on Wed Sep 26, 2012 1:43 pm

Can you post contents of /etc/mdm/mdm.conf?
naughty_bit
Level 1
Level 1
 
Posts: 44
Joined: Fri Sep 07, 2012 6:33 am

Re: users can login to others running accounts using CTRL+AL

Postby FerroPower on Wed Sep 26, 2012 1:45 pm

naughty_bit wrote:Can you post contents of /etc/mdm/mdm.conf?



/etc/mdm: No such file or directory
FerroPower
Level 1
Level 1
 
Posts: 20
Joined: Fri Oct 21, 2011 12:28 pm

Re: users can login to others running accounts using CTRL+AL

Postby naughty_bit on Wed Sep 26, 2012 1:56 pm

FerroPower wrote:
naughty_bit wrote:Can you post contents of /etc/mdm/mdm.conf?



/etc/mdm: No such file or directory


what session manager are you using? mdm, gdm3, kdm?
naughty_bit
Level 1
Level 1
 
Posts: 44
Joined: Fri Sep 07, 2012 6:33 am

Re: users can login to others running accounts using CTRL+AL

Postby FerroPower on Wed Sep 26, 2012 1:57 pm

gdm3
FerroPower
Level 1
Level 1
 
Posts: 20
Joined: Fri Oct 21, 2011 12:28 pm

Re: users can login to others running accounts using CTRL+AL

Postby naughty_bit on Wed Sep 26, 2012 2:04 pm

FerroPower wrote:gdm3

Can you then post gdm3 conf file? it should be in /etc/gdm3/*.conf
naughty_bit
Level 1
Level 1
 
Posts: 44
Joined: Fri Sep 07, 2012 6:33 am

Re: users can login to others running accounts using CTRL+AL

Postby FerroPower on Wed Sep 26, 2012 2:07 pm

there is on daemon.conf in /etc/gdm3/*

below is the content

# GDM configuration storage
#
# See /usr/share/gdm/gdm.schemas for a list of available options.

[daemon]
# Enabling automatic login
# AutomaticLoginEnable = true
# AutomaticLogin = user1

# Enabling timed login
# TimedLoginEnable = true
# TimedLogin = user1
# TimedLoginDelay = 10

# Reserving more VTs for test consoles (default is 7)
# FirstVT = 9

[security]

[xdmcp]

[greeter]
# Only include selected logins in the greeter
# IncludeAll = false
# Include = user1,user2

[chooser]

[debug]
# More verbose logs
# Additionally lets the X server dump core if it crashes
# Enable = true
FerroPower
Level 1
Level 1
 
Posts: 20
Joined: Fri Oct 21, 2011 12:28 pm

Re: users can login to others running accounts using CTRL+AL

Postby naughty_bit on Wed Sep 26, 2012 2:14 pm

edit" rushed answer
naughty_bit
Level 1
Level 1
 
Posts: 44
Joined: Fri Sep 07, 2012 6:33 am

Re: users can login to others running accounts using CTRL+AL

Postby FerroPower on Wed Sep 26, 2012 2:19 pm

there is no AutoLogin enabled anywhere by me

And also there is no gdm.conf in /etc/gdm3/gdm.conf
FerroPower
Level 1
Level 1
 
Posts: 20
Joined: Fri Oct 21, 2011 12:28 pm

Re: users can login to others running accounts using CTRL+AL

Postby naughty_bit on Wed Sep 26, 2012 2:34 pm

Can you install dconf editor and see under org>gnome>desktop>lockdown if "disable-lock-screen" is enabled?

EDIT: you should also have gconf editor available, not sure if it there by default.
Last edited by naughty_bit on Wed Sep 26, 2012 2:39 pm, edited 1 time in total.
naughty_bit
Level 1
Level 1
 
Posts: 44
Joined: Fri Sep 07, 2012 6:33 am

Linux Mint is funded by ads and donations.
 
Next

Return to Newbie Questions

Who is online

Users browsing this forum: No registered users and 6 guests