Mailinglist Archive: opensuse-bugs (4369 mails)
| < Previous | Next > |
[Bug 206676] YaST > Network Services > Remote Administration allows EVERYBODY to shutdown the machine or kill the X-server
- From: bugzilla_noreply@xxxxxxxxxx
- Date: Fri, 29 Sep 2006 02:00:41 -0600 (MDT)
- Message-id: <20060929080041.7387625C887@xxxxxxxxxxxxxxxxxxxxxx>
https://bugzilla.novell.com/show_bug.cgi?id=206676
danielstefanmader@xxxxxx changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|Normal |Major
Priority|P5 - None |P2 - High
------- Comment #4 from danielstefanmader@xxxxxx 2006-09-29 02:00 MST -------
Hello again,
I found the time to investigate some more. Setting YaST > Security and Users >
Local Security to "Networked Workstation" and enabling Remote Administration
still offers shutdown/reboot options to _everybody_ in KDM -- even though the
/etc/sysconfig settings in Desktop > Display manager > DISPLAYMANAGER_SHUTDOWN
claim this should only be possible by root!
Imho this really is a security issue since it allows for a DoS attack without
actually having to attack :) There should be no shutdown options offered to
remote users by default, no matter what the security settings are unless
otherwise set by the admin.
Since nobody seems to care I will the the severity of this bug to major and the
priority to P2. Please feel free to readjust in case necessary.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
danielstefanmader@xxxxxx changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|Normal |Major
Priority|P5 - None |P2 - High
------- Comment #4 from danielstefanmader@xxxxxx 2006-09-29 02:00 MST -------
Hello again,
I found the time to investigate some more. Setting YaST > Security and Users >
Local Security to "Networked Workstation" and enabling Remote Administration
still offers shutdown/reboot options to _everybody_ in KDM -- even though the
/etc/sysconfig settings in Desktop > Display manager > DISPLAYMANAGER_SHUTDOWN
claim this should only be possible by root!
Imho this really is a security issue since it allows for a DoS attack without
actually having to attack :) There should be no shutdown options offered to
remote users by default, no matter what the security settings are unless
otherwise set by the admin.
Since nobody seems to care I will the the severity of this bug to major and the
priority to P2. Please feel free to readjust in case necessary.
--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
| < Previous | Next > |