Prompt when attempting to shut down/restart from greeter with user sessions open
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| gdm (Ubuntu) |
Confirmed
|
Wishlist
|
Unassigned | ||
Bug Description
When multiple users are logged in, the system requires administrator authorization for the system to be shut down or restarted. A non-administrating user who is logged in can defeat this mechanism by the following route:
1. Selecting a different user (regardless of whether that user is logged in) from the Shut Down menu options.
2. When prompted for the password of the user selected to switch to, selecting cancel (on 64-bit dist of Jaunty; on 32-bit, cancel is disabled at this point and can be enabled by pressing esc, returning to the screensaver, performing an action such as moving the mouse which returns to the password dialog, and then selecting cancel)
3. This returns to the startup login screen, where the options menu in the lower left of the display gives the option to shut down or restart, regardless of the number of users logged in and regardless of administrative authorization.
| visibility: | private → public |
| Jamie Strandboge (jdstrand) wrote | #1 |
| security vulnerability: | yes → no |
| Jamie Strandboge (jdstrand) wrote | #2 |
| affects: | ubuntu → gdm (Ubuntu) |
| Changed in gdm (Ubuntu): | |
| importance: | Undecided → Wishlist |
| status: | New → Confirmed |
| summary: |
- Shut Down / Restart Workaround Discovered + GDM does should prompt on shutdown/reboot when user's logged in |
| summary: |
- GDM does should prompt on shutdown/reboot when user's logged in + GDM does should prompt on shutdown/reboot when users are logged in |
| Sebastien Bacher (seb128) wrote Re: GDM does should prompt on shutdown/reboot when users are logged in | #3 |
| summary: |
- GDM does should prompt on shutdown/reboot when users are logged in + Prompt when attempting to shut down/restart from greeter with user + sessions open |
One can simply logout and have access to the GDM options and shutdown. I don't see this as a security issue, but rather incomplete GDM/policy kit integration.