After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 343476 - CRITICAL ERROR IN GDM! : GDM Allow to an ordinary user access to "Configure Login Manager..."
CRITICAL ERROR IN GDM! : GDM Allow to an ordinary user access to "Configure L...
Status: RESOLVED FIXED
Product: gdm
Classification: Core
Component: general
2.14.x
Other All
: Normal critical
: ---
Assigned To: GDM maintainers
GDM maintainers
Depends on:
Blocks:
 
 
Reported: 2006-05-31 05:06 UTC by Víctor Daniel
Modified: 2006-06-09 03:46 UTC
See Also:
GNOME target: ---
GNOME version: 2.13/2.14


Description Víctor Daniel 2006-05-31 05:06:01 UTC 
Please describe the problem:
CRITICAL ERROR IN GDM! : GDM Allow to an ordinary user access to "Configure Login Manager..." option if face list is enabled, here is a big security burnerability.

I test here bug in PLAIN mode with Face List and THEME Mode, the two ways have the bug.

To cause the bug (PLAIN mode with Face List):

Bye and Thanks
Daniel
bombayvdmo@yahoo.com.mx

Steps to reproduce:
1. Select "Configure Login Manager..." option in Action Menu.
2. Now gdm "need" the "root password", but now select something basic user in the face selector and enter your password.
3.Here is the bug, after you enter the ordinary user password GDM allow access to config, and give root permissions.

Actual results:


Expected results:


Does this happen every time?


Other information:
Comment 1 Brian Cameron 2006-05-31 09:32:13 UTC 
This is now fixed in CVS head.  Now looking into 2.14 branch.
Comment 2 Brian Cameron 2006-05-31 10:16:59 UTC 
Yes, problem is in the 2.14 branch.  Now fixed there.  Now looking into 2.12 branch.
Comment 3 Brian Cameron 2006-05-31 10:33:13 UTC 
The problem also exists in the 2.8 branch.  I just patched the 2.8 branch as well with the fix.

Now the code disables the face browser so you can't click on it between choosing "Configure login" and entering the password - allowing the user to get to the config screen using their user password instead of the root password.

Note this problem happens only if Browser is enabled, SystemMenu is turned on, and Configurator turned on in the configuration file.  All non-default choices, though I believe many distros turn these on by default.
Comment 4 Brian Cameron 2006-05-31 10:51:14 UTC 
Okay, just verified that this problem does not happen in the 2.6 code, which corresponds to the gnome-2-10 branch. 

note I said 2.8 branch above but I meant GDM 2.8 which corresponds to the gnome-2-12 branch, which does have the problem.
Comment 5 Brian Cameron 2006-05-31 10:59:05 UTC 
I will do new releases of the 2.8, 2.12, 2.14, and 2.15 branches as soon as I hear back from the vendor-sec mail alias with advise how to proceed, probably in the next day.
Comment 6 Federico Mena Quintero 2006-05-31 19:14:17 UTC 
Thanks a lot for taking care of this, Brian :)
Comment 7 Víctor Daniel 2006-06-02 23:38:46 UTC 
:) Not problem, i'm an *nix user, this is my work ;-).
Comment 8 Víctor Daniel 2006-06-02 23:39:41 UTC 
:) Not problem, i'm an *nix user, this is my work ;-).
Comment 9 Brian Cameron 2006-06-09 03:46:56 UTC 
Okay, the latest 2.8 (aka gnome-2.12), 2.14, and 2.15 releases have a
fix for this problem.  Closing.