Comment # 4 on bug 1205939 from Callum Farmer

(In reply to Matthias Gerstner from comment #3)
> The D-Bus interface is rather small but strangely completely unauthenticated.
> It allows all local users (included nobody et al) to e.g. lock an active
> session or switch between sessions. Also the creation of a session seems in
> reach, however in my tests it failed for some reason that I don't fully
> understand.
> 
> Maybe we can configure something in our packaging that leaves less attack
> surface there ...

CC'ing maintainer