Linux Mint Forums

hi There,
I need to point ONE BIG Security LOOPHOLE in LINUX MINT Debian Edition. I have beed using LMDE since past one years installing all updates and working perfectly fine. I have other Linux Flavours as well in my other partition. but since my question might sound newbie to experts I am posting it here.

The LOOPHOLE in LinuxMint is related to Users Logged on. Suppose user 'A' is user with sudo power AND user 'B' dont have sudo power.

The Problem arises when User "A" is logged in graphical session and for some reasons he keeps his account running due to some unfinished jobs in running but since he DONT want anyone to view his Data he uses the option to LogOut > Switch User so whenever anyone wants to access his account he is prompted his passwords.
BUT a BIG bug in LMDE allows user "B" to log into user "A" account. for example user 'B' log into his own account and press key combination ctrl+alt+F7 which AUTOMATICALLY LOGS user 'B' into user 'A's DESKTOP WITHOUT PROMPTING for user 'A' PASSWORD..

the only way to safeguard such logins is to Logout COMPLETELY when you are not physically present on your machine so CTRL+AlT+F7 & CTRL+ATL+F8 dont log others into your account.

I only wish to know if such problems arises on your LMDE edition or my LMDE OS is compromised with some bug.

if its a BUG in LMDE I only wish to bring to Developers notice. Thanks...

hi FerroPower, I'm using main edition Mint, so can't replicate your finding, But it could just depend on the permissions set for the two users. For example, if they are both in the same group, then you'd expect user B to have read-only access to user A. Perhaps you'd check that. Otherwise it's a problem that needs reporting, regards

Thanks for reply HughT,

I have got archlinux running perfectly where Password prompt is displayed when when user B tries to acces user A desktop by pressing CTRL+ALT+F7. I don't understand whats wrong with my system then. or is it LMDE bug.

So what are the permissions for each user? Are they the same group?

no they are not.

can you go to startup services and find xhost +?
Change it to - restart and check if it does same.

naughty_bit wrote:can you go to startup services and find xhost +?
Change it to - restart and check if it does same.

There is one xhost + command in StartUp Applications which command to execute ? just - restart or "xhost -restart"

FerroPower wrote: There is one xhost + command in StartUp Applications which command to execute ? just - restart or "xhost -restart"

Change the command to xhost - and restart x or just restart PC

naughty_bit wrote:

FerroPower wrote: There is one xhost + command in StartUp Applications which command to execute ? just - restart or "xhost -restart"

Change the command to xhost - and restart x or just restart PC

I did as you told but it isn't working same as before. Do you think the system is compromised ? or something

FerroPower wrote: I did as you told but it isn't working same as before. Do you think the system is compromised ? or something

So is it fixed or not?

No, I don't think its compromised. Just weird defaults.

naughty_bit wrote:

FerroPower wrote: I did as you told but it isn't working same as before. Do you think the system is compromised ? or something

So is it fixed or not?

No, I don't think its compromised. Just weird defaults.

Not Fixed.

Can you post contents of /etc/mdm/mdm.conf?

naughty_bit wrote:Can you post contents of /etc/mdm/mdm.conf?

/etc/mdm: No such file or directory

FerroPower wrote:

naughty_bit wrote:Can you post contents of /etc/mdm/mdm.conf?

/etc/mdm: No such file or directory

what session manager are you using? mdm, gdm3, kdm?

gdm3

FerroPower wrote:gdm3

Can you then post gdm3 conf file? it should be in /etc/gdm3/*.conf

there is on daemon.conf in /etc/gdm3/*

below is the content

# GDM configuration storage
#
# See /usr/share/gdm/gdm.schemas for a list of available options.

[daemon]
# Enabling automatic login
# AutomaticLoginEnable = true
# AutomaticLogin = user1

# Enabling timed login
# TimedLoginEnable = true
# TimedLogin = user1
# TimedLoginDelay = 10

# Reserving more VTs for test consoles (default is 7)
# FirstVT = 9

[security]

[xdmcp]

[greeter]
# Only include selected logins in the greeter
# IncludeAll = false
# Include = user1,user2

[chooser]

[debug]
# More verbose logs
# Additionally lets the X server dump core if it crashes
# Enable = true

edit" rushed answer

there is no AutoLogin enabled anywhere by me

And also there is no gdm.conf in /etc/gdm3/gdm.conf

Can you install dconf editor and see under org>gnome>desktop>lockdown if "disable-lock-screen" is enabled?

EDIT: you should also have gconf editor available, not sure if it there by default.