Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 20 Nov 2015 14:04:51 +0100
From: Tomas Hoger <thoger@...hat.com>
To: oss-security@...ts.openwall.com
Subject: LXDM X authentication issues

Hi!

LXDM before 0.5.2 did not start X server with -auth parameter.
Therefore any user able to connect to it (typically all local users)
would have their X connections accepted.  The issue was fixed via:

http://git.lxde.org/gitweb/?p=lxde/lxdm.git;a=commitdiff;h=e8f387089e241360bdc6955d3e479450722dcea3

LXDM also defaults to not restarting X server between sessions, and
does not change authentication cookies or remove xhost authorizations.
This allows local user to be able to connect to the X server after they
logged out.  The 'reset' option in lxdm.conf controls whether X server
is restarted on session user close.

-- 
Tomas Hoger / Red Hat Product Security

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ