Date: Fri, 20 Nov 2015 14:04:51 +0100 From: Tomas Hoger <thoger@...hat.com> To: oss-security@...ts.openwall.com Subject: LXDM X authentication issues Hi! LXDM before 0.5.2 did not start X server with -auth parameter. Therefore any user able to connect to it (typically all local users) would have their X connections accepted. The issue was fixed via: http://git.lxde.org/gitweb/?p=lxde/lxdm.git;a=commitdiff;h=e8f387089e241360bdc6955d3e479450722dcea3 LXDM also defaults to not restarting X server between sessions, and does not change authentication cookies or remove xhost authorizations. This allows local user to be able to connect to the X server after they logged out. The 'reset' option in lxdm.conf controls whether X server is restarted on session user close. -- Tomas Hoger / Red Hat Product Security
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ