Project

General

Profile

Bug #8167

lightdm login screen should not allow shutdown/restart without logging in

Added by Nikola M. almost 3 years ago. Updated almost 2 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
OI-Userland
Target version:
Start date:
2017-05-06
Due date:
% Done:

0%

Estimated time:
Difficulty:
Bite-size
Tags:
needs-triage

Description

As present, lightdm login screen includes ;power button in the panel,
that allows powering down and restarting machine without identification and logging in.

That presents security issue that allows service disruption on on-premise access (powering down by unauthorized personnel while some processes are running in the background and/or stopping processes from other users).
Also since OI is oriented toward server use, with including desktop environment, it could disrupt normal server operation and could be look at as included security workaround for disabling OI servers.

This bug suggests to remove power button from lightdm default settings upon install, for security reasons.
As with gdm before, one can enable power button by editing lightdm options in: /etc/lightdm/lightdm-gtk-greeter.conf
(If one wants to use OI install as the laptop/desktop workstation with non-essential tasks)
But leaving power button by default without logingi in by default is a security issue.

Suggested solution (and current workaround):
Suggest default lightdm line in /etc/lightdm/lightdm-gtk-greeter.conf to be:
indicators=~a11y;~spacer;~host;~session;~clock
That also fixes:
https://www.illumos.org/issues/8111

History

#1

Updated by Alexander Pyhalov almost 3 years ago

I'd like to split this issue in several.
First of all, it's ability of local unauthorized user to shut down system. I don't think it's a security issue. Local user can just press power button and we can't protect from this. On other hand, if system administrator without access to system, but with access to console, can shutdown it gracefully, I think it's a nice thing. If local system administrator wants to enforce some policy, he can set indicators to something like "~spacer;~spacer;~host;~spacer;~session;~a11y;~clock" instead of default "~spacer;~spacer;~host;~spacer;~session;~a11y;~power;~clock"
Second issue is a really serious security hole - remote unauthorized user can shut down system if VNC or Xdmcp is enabled.
This issue was fixed in https://github.com/OpenIndiana/oi-userland/commit/97177ec9190d6e81c6bc6dd7ae8e2c3835044e8c .
I feel really ugly that we had such issue for a long time without noticing it.
This issue needs separate testing with SRSS terminals.

#2

Updated by Nikola M. almost 3 years ago

Ok, split it,
I think it is security issue for the local user to shut down machine without logging in.
Power button can be disabled form shutting down also it is not with server installs that everyone passing buy the machine can access power button nor the back of the machine physically. Yet graphical console is usually accessible.

So the conclusion that "everyone with physical access to machine can disable it" is not the right assumption, and even it is the case, that is not the reason to intentionally enable unauthorized behavior by default, having target server audience in mind.

It is not under OS domain, what is secured physically at premises, it is an OS issue to secure OS and what is under it's domain, and that is not have unauthorized shutdown by default enabled, nor other assumptions about environment that are not related.

Local administrator needs authorization to do anything to the machine. If not doing it with autorization, it is a security issue, that is the definition of such issues, elevating privileges without verification.

Point of it being 'nice thing' for local unauthorized operator to gracefully shutdown machine with physical access,
is contradictory to having power button in lightdm: IF he/she is having physical power button acess on the machine, and physical power button is working, why would it need system console, and instead just press the physical power button? Ergo, power button on lightdm console is not needed.

Anyone wanting such behavior in the datacenter can enable it upon install and as you said, one doesn't really need it, because hardware-authorized operators could access power button.

I mentioned it few times that power button should not be on lightdm on IRC, but...
(I couldn't force the issue earlier, because I wasn't aware lightdm is there, and enabled from in previous Oi snapshot, because I upgraded and not installed fresh.)
My wanting is to disable power button by default, before flushing new OI snapshot installable media.. Issue is there from the first day of lightdm integration with the power button enabled.

#3

Updated by Alexander Pyhalov almost 3 years ago

  • Status changed from New to Resolved

Also available in: Atom PDF