users can login to others running accounts using CTRL+ALT+F7
Forum rules
LMDE 2 has reached end of support as of 1-1-2019
LMDE 2 has reached end of support as of 1-1-2019
users can login to others running accounts using CTRL+ALT+F7
hi There,
I need to point ONE BIG Security LOOPHOLE in LINUX MINT Debian Edition. I have beed using LMDE since past one years installing all updates and working perfectly fine. I have other Linux Flavours as well in my other partition. but since my question might sound newbie to experts I am posting it here.
The LOOPHOLE in LinuxMint is related to Users Logged on. Suppose user 'A' is user with sudo power AND user 'B' dont have sudo power.
The Problem arises when User "A" is logged in graphical session and for some reasons he keeps his account running due to some unfinished jobs in running but since he DONT want anyone to view his Data he uses the option to LogOut > Switch User so whenever anyone wants to access his account he is prompted his passwords.
BUT a BIG bug in LMDE allows user "B" to log into user "A" account. for example user 'B' log into his own account and press key combination ctrl+alt+F7 which AUTOMATICALLY LOGS user 'B' into user 'A's DESKTOP WITHOUT PROMPTING for user 'A' PASSWORD..
the only way to safeguard such logins is to Logout COMPLETELY when you are not physically present on your machine so CTRL+AlT+F7 & CTRL+ATL+F8 dont log others into your account.
I only wish to know if such problems arises on your LMDE edition or my LMDE OS is compromised with some bug.
if its a BUG in LMDE I only wish to bring to Developers notice. Thanks...
I need to point ONE BIG Security LOOPHOLE in LINUX MINT Debian Edition. I have beed using LMDE since past one years installing all updates and working perfectly fine. I have other Linux Flavours as well in my other partition. but since my question might sound newbie to experts I am posting it here.
The LOOPHOLE in LinuxMint is related to Users Logged on. Suppose user 'A' is user with sudo power AND user 'B' dont have sudo power.
The Problem arises when User "A" is logged in graphical session and for some reasons he keeps his account running due to some unfinished jobs in running but since he DONT want anyone to view his Data he uses the option to LogOut > Switch User so whenever anyone wants to access his account he is prompted his passwords.
BUT a BIG bug in LMDE allows user "B" to log into user "A" account. for example user 'B' log into his own account and press key combination ctrl+alt+F7 which AUTOMATICALLY LOGS user 'B' into user 'A's DESKTOP WITHOUT PROMPTING for user 'A' PASSWORD..
the only way to safeguard such logins is to Logout COMPLETELY when you are not physically present on your machine so CTRL+AlT+F7 & CTRL+ATL+F8 dont log others into your account.
I only wish to know if such problems arises on your LMDE edition or my LMDE OS is compromised with some bug.
if its a BUG in LMDE I only wish to bring to Developers notice. Thanks...
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: users can login to others running accounts using CTRL+AL
hi FerroPower, I'm using main edition Mint, so can't replicate your finding, But it could just depend on the permissions set for the two users. For example, if they are both in the same group, then you'd expect user B to have read-only access to user A. Perhaps you'd check that. Otherwise it's a problem that needs reporting, regards
Re: users can login to others running accounts using CTRL+AL
Thanks for reply HughT,
I have got archlinux running perfectly where Password prompt is displayed when when user B tries to acces user A desktop by pressing CTRL+ALT+F7. I don't understand whats wrong with my system then. or is it LMDE bug.
I have got archlinux running perfectly where Password prompt is displayed when when user B tries to acces user A desktop by pressing CTRL+ALT+F7. I don't understand whats wrong with my system then. or is it LMDE bug.
Re: users can login to others running accounts using CTRL+AL
So what are the permissions for each user? Are they the same group?
Re: users can login to others running accounts using CTRL+AL
can you go to startup services and find xhost +?
Change it to - restart and check if it does same.
Change it to - restart and check if it does same.
Re: users can login to others running accounts using CTRL+AL
naughty_bit wrote:can you go to startup services and find xhost +?
Change it to - restart and check if it does same.
There is one xhost + command in StartUp Applications which command to execute ? just - restart or "xhost -restart"
Re: users can login to others running accounts using CTRL+AL
Change the command to xhost - and restart x or just restart PCFerroPower wrote: There is one xhost + command in StartUp Applications which command to execute ? just - restart or "xhost -restart"
Re: users can login to others running accounts using CTRL+AL
naughty_bit wrote:Change the command to xhost - and restart x or just restart PCFerroPower wrote: There is one xhost + command in StartUp Applications which command to execute ? just - restart or "xhost -restart"
I did as you told but it isn't working same as before. Do you think the system is compromised ? or something
Re: users can login to others running accounts using CTRL+AL
FerroPower wrote: I did as you told but it isn't working same as before. Do you think the system is compromised ? or something
So is it fixed or not?
No, I don't think its compromised. Just weird defaults.
Re: users can login to others running accounts using CTRL+AL
naughty_bit wrote:FerroPower wrote: I did as you told but it isn't working same as before. Do you think the system is compromised ? or something
So is it fixed or not?
No, I don't think its compromised. Just weird defaults.
Not Fixed.
Re: users can login to others running accounts using CTRL+AL
Can you post contents of /etc/mdm/mdm.conf?
Re: users can login to others running accounts using CTRL+AL
naughty_bit wrote:Can you post contents of /etc/mdm/mdm.conf?
/etc/mdm: No such file or directory
Re: users can login to others running accounts using CTRL+AL
what session manager are you using? mdm, gdm3, kdm?FerroPower wrote:naughty_bit wrote:Can you post contents of /etc/mdm/mdm.conf?
/etc/mdm: No such file or directory
Re: users can login to others running accounts using CTRL+AL
Can you then post gdm3 conf file? it should be in /etc/gdm3/*.confFerroPower wrote:gdm3
Re: users can login to others running accounts using CTRL+AL
there is on daemon.conf in /etc/gdm3/*
below is the content
# GDM configuration storage
#
# See /usr/share/gdm/gdm.schemas for a list of available options.
[daemon]
# Enabling automatic login
# AutomaticLoginEnable = true
# AutomaticLogin = user1
# Enabling timed login
# TimedLoginEnable = true
# TimedLogin = user1
# TimedLoginDelay = 10
# Reserving more VTs for test consoles (default is 7)
# FirstVT = 9
[security]
[xdmcp]
[greeter]
# Only include selected logins in the greeter
# IncludeAll = false
# Include = user1,user2
[chooser]
[debug]
# More verbose logs
# Additionally lets the X server dump core if it crashes
# Enable = true
below is the content
# GDM configuration storage
#
# See /usr/share/gdm/gdm.schemas for a list of available options.
[daemon]
# Enabling automatic login
# AutomaticLoginEnable = true
# AutomaticLogin = user1
# Enabling timed login
# TimedLoginEnable = true
# TimedLogin = user1
# TimedLoginDelay = 10
# Reserving more VTs for test consoles (default is 7)
# FirstVT = 9
[security]
[xdmcp]
[greeter]
# Only include selected logins in the greeter
# IncludeAll = false
# Include = user1,user2
[chooser]
[debug]
# More verbose logs
# Additionally lets the X server dump core if it crashes
# Enable = true
Re: users can login to others running accounts using CTRL+AL
there is no AutoLogin enabled anywhere by me
And also there is no gdm.conf in /etc/gdm3/gdm.conf
And also there is no gdm.conf in /etc/gdm3/gdm.conf
Re: users can login to others running accounts using CTRL+AL
Can you install dconf editor and see under org>gnome>desktop>lockdown if "disable-lock-screen" is enabled?
EDIT: you should also have gconf editor available, not sure if it there by default.
EDIT: you should also have gconf editor available, not sure if it there by default.
Last edited by naughty_bit on Wed Sep 26, 2012 2:39 pm, edited 1 time in total.