users can login to others running accounts using CTRL+ALT+F7

Archived topics about LMDE 1 and LMDE 2
FerroPower

users can login to others running accounts using CTRL+ALT+F7

Post by FerroPower »

hi There,
I need to point ONE BIG Security LOOPHOLE in LINUX MINT Debian Edition. I have beed using LMDE since past one years installing all updates and working perfectly fine. I have other Linux Flavours as well in my other partition. but since my question might sound newbie to experts I am posting it here.

The LOOPHOLE in LinuxMint is related to Users Logged on. Suppose user 'A' is user with sudo power AND user 'B' dont have sudo power.

The Problem arises when User "A" is logged in graphical session and for some reasons he keeps his account running due to some unfinished jobs in running but since he DONT want anyone to view his Data he uses the option to LogOut > Switch User so whenever anyone wants to access his account he is prompted his passwords.
BUT a BIG bug in LMDE allows user "B" to log into user "A" account. for example user 'B' log into his own account and press key combination ctrl+alt+F7 which AUTOMATICALLY LOGS user 'B' into user 'A's DESKTOP WITHOUT PROMPTING for user 'A' PASSWORD..

the only way to safeguard such logins is to Logout COMPLETELY when you are not physically present on your machine so CTRL+AlT+F7 & CTRL+ATL+F8 dont log others into your account.

I only wish to know if such problems arises on your LMDE edition or my LMDE OS is compromised with some bug.

if its a BUG in LMDE I only wish to bring to Developers notice. Thanks...
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
HughT

Re: users can login to others running accounts using CTRL+AL

Post by HughT »

hi FerroPower, I'm using main edition Mint, so can't replicate your finding, But it could just depend on the permissions set for the two users. For example, if they are both in the same group, then you'd expect user B to have read-only access to user A. Perhaps you'd check that. Otherwise it's a problem that needs reporting, regards
FerroPower

Re: users can login to others running accounts using CTRL+AL

Post by FerroPower »

Thanks for reply HughT,

I have got archlinux running perfectly where Password prompt is displayed when when user B tries to acces user A desktop by pressing CTRL+ALT+F7. I don't understand whats wrong with my system then. or is it LMDE bug.
HughT

Re: users can login to others running accounts using CTRL+AL

Post by HughT »

So what are the permissions for each user? Are they the same group?
FerroPower

Re: users can login to others running accounts using CTRL+AL

Post by FerroPower »

no they are not.
naughty_bit

Re: users can login to others running accounts using CTRL+AL

Post by naughty_bit »

can you go to startup services and find xhost +?
Change it to - restart and check if it does same.
FerroPower

Re: users can login to others running accounts using CTRL+AL

Post by FerroPower »

naughty_bit wrote:can you go to startup services and find xhost +?
Change it to - restart and check if it does same.

There is one xhost + command in StartUp Applications which command to execute ? just - restart or "xhost -restart"
naughty_bit

Re: users can login to others running accounts using CTRL+AL

Post by naughty_bit »

FerroPower wrote: There is one xhost + command in StartUp Applications which command to execute ? just - restart or "xhost -restart"
Change the command to xhost - and restart x or just restart PC
FerroPower

Re: users can login to others running accounts using CTRL+AL

Post by FerroPower »

naughty_bit wrote:
FerroPower wrote: There is one xhost + command in StartUp Applications which command to execute ? just - restart or "xhost -restart"
Change the command to xhost - and restart x or just restart PC

I did as you told but it isn't working same as before. Do you think the system is compromised ? or something
naughty_bit

Re: users can login to others running accounts using CTRL+AL

Post by naughty_bit »

FerroPower wrote: I did as you told but it isn't working same as before. Do you think the system is compromised ? or something

So is it fixed or not?

No, I don't think its compromised. Just weird defaults.
FerroPower

Re: users can login to others running accounts using CTRL+AL

Post by FerroPower »

naughty_bit wrote:
FerroPower wrote: I did as you told but it isn't working same as before. Do you think the system is compromised ? or something

So is it fixed or not?

No, I don't think its compromised. Just weird defaults.

Not Fixed.
naughty_bit

Re: users can login to others running accounts using CTRL+AL

Post by naughty_bit »

Can you post contents of /etc/mdm/mdm.conf?
FerroPower

Re: users can login to others running accounts using CTRL+AL

Post by FerroPower »

naughty_bit wrote:Can you post contents of /etc/mdm/mdm.conf?

/etc/mdm: No such file or directory
naughty_bit

Re: users can login to others running accounts using CTRL+AL

Post by naughty_bit »

FerroPower wrote:
naughty_bit wrote:Can you post contents of /etc/mdm/mdm.conf?

/etc/mdm: No such file or directory
what session manager are you using? mdm, gdm3, kdm?
FerroPower

Re: users can login to others running accounts using CTRL+AL

Post by FerroPower »

gdm3
naughty_bit

Re: users can login to others running accounts using CTRL+AL

Post by naughty_bit »

FerroPower wrote:gdm3
Can you then post gdm3 conf file? it should be in /etc/gdm3/*.conf
FerroPower

Re: users can login to others running accounts using CTRL+AL

Post by FerroPower »

there is on daemon.conf in /etc/gdm3/*

below is the content

# GDM configuration storage
#
# See /usr/share/gdm/gdm.schemas for a list of available options.

[daemon]
# Enabling automatic login
# AutomaticLoginEnable = true
# AutomaticLogin = user1

# Enabling timed login
# TimedLoginEnable = true
# TimedLogin = user1
# TimedLoginDelay = 10

# Reserving more VTs for test consoles (default is 7)
# FirstVT = 9

[security]

[xdmcp]

[greeter]
# Only include selected logins in the greeter
# IncludeAll = false
# Include = user1,user2

[chooser]

[debug]
# More verbose logs
# Additionally lets the X server dump core if it crashes
# Enable = true
naughty_bit

Re: users can login to others running accounts using CTRL+AL

Post by naughty_bit »

edit" rushed answer
FerroPower

Re: users can login to others running accounts using CTRL+AL

Post by FerroPower »

there is no AutoLogin enabled anywhere by me

And also there is no gdm.conf in /etc/gdm3/gdm.conf
naughty_bit

Re: users can login to others running accounts using CTRL+AL

Post by naughty_bit »

Can you install dconf editor and see under org>gnome>desktop>lockdown if "disable-lock-screen" is enabled?

EDIT: you should also have gconf editor available, not sure if it there by default.
Last edited by naughty_bit on Wed Sep 26, 2012 2:39 pm, edited 1 time in total.
Locked

Return to “LMDE Archive”