Bug#259173: marked as done (gdm: SecureSystemMenu is either too
secure or too insecure)
Debian Bug Tracking System
owner@bugs.debian.org
Sun, 29 Aug 2004 22:33:08 -0700
Your message dated Mon, 30 Aug 2004 01:17:31 -0400
with message-id <E1C1eXr-0005kE-00@newraff.debian.org>
and subject line Bug#259173: fixed in gdm 2.6.0.4-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 13 Jul 2004 09:39:22 +0000
>From piefel@informatik.hu-berlin.de Tue Jul 13 02:39:22 2004
Return-path: <piefel@informatik.hu-berlin.de>
Received: from mail.informatik.hu-berlin.de [141.20.20.50]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1BkJkw-0007fJ-00; Tue, 13 Jul 2004 02:39:22 -0700
Received: from kosh.informatik.hu-berlin.de (mail@kosh [141.20.23.210])
by mail.informatik.hu-berlin.de (8.12.10/8.12.10/INF-2.0-MA-SOLARIS-2.8) with ESMTP id i6D9dI4T023027
for <submit@bugs.debian.org>; Tue, 13 Jul 2004 11:39:18 +0200 (MEST)
Received: from piefel by kosh.informatik.hu-berlin.de with local (Exim 3.36 #1 (Debian))
id 1BkJkv-0004R8-00
for <submit@bugs.debian.org>; Tue, 13 Jul 2004 11:39:21 +0200
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Michael Piefel <piefel@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gdm: SecureSystemMenu is either too secure or too insecure
X-Mailer: reportbug 2.63
Date: Tue, 13 Jul 2004 11:39:21 +0200
Message-Id: <E1BkJkv-0004R8-00@kosh.informatik.hu-berlin.de>
Sender: Michael Piefel <piefel@informatik.hu-berlin.de>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: gdm
Version: 2.6.0.3-1
Severity: important
Tags: security
gdm has a System Menu which offers options such as "Shut down the
computer" and "Edit gdm otions". Using gdm.conf's SecureSystemMenu
setting, this menu either requests the root password or it doesn't.
This leads to the unfortunate situation where either:
- Any user has to enter the root password to shut down the computer.
IOW, they cannot, because I won't give them the password. They can cut
the power, but that isn't good.
- Any user can change all of gdm's settings, including auto-login for a
certain user and such. This opens a wide security hole.
At home (older gdm version) the settings menu requires a password,
shutting down doesn't. That's the way it should be. If shutting down has
to be protected by a password, this has to be a separate option.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.5-1-k7
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8
Versions of packages gdm depends on:
ii adduser 3.57 Add and remove users and groups
ii debconf 1.4.29 Debian configuration management sy
ii dpkg 1.10.22 Package maintenance system for Deb
ii gksu 1.2.0-2 graphical frontend to su
ii gnome-session 2.6.2-3 The GNOME 2 Session Manager
ii gnome-terminal [x-termina 2.6.1-4 The GNOME 2 terminal emulator appl
ii libart-2.0-2 2.3.16-5 Library of functions for 2D graphi
ii libatk1.0-0 1.6.1-2 The ATK accessibility toolkit
ii libattr1 2.4.16-1 Extended attribute shared library
ii libbonobo2-0 2.6.2-4 Bonobo CORBA interfaces library
ii libbonoboui2-0 2.6.1-1 The Bonobo UI library
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an
ii libgconf2-4 2.6.2-1 GNOME configuration database syste
ii libglade2-0 1:2.4.0-1 Library to load .glade files at ru
ii libglib2.0-0 2.4.2-1 The GLib library of C routines
ii libgnome2-0 2.6.1-8 The GNOME 2 library - runtime file
ii libgnomecanvas2-0 2.6.1.1-2 A powerful object-oriented display
ii libgnomeui-0 2.6.1.1-3 The GNOME 2 libraries (User Interf
ii libgnomevfs2-0 2.6.1.1-4 The GNOME virtual file-system libr
ii libgtk2.0-0 2.4.3-3 The GTK+ graphical user interface
ii libice6 4.3.0.dfsg.1-6 Inter-Client Exchange library
ii liborbit2 1:2.10.2-1.1 libraries for ORBit2 - a CORBA ORB
ii libpam-modules 0.76-22 Pluggable Authentication Modules f
ii libpam-runtime 0.76-22 Runtime support for the PAM librar
ii libpam0g 0.76-22 Pluggable Authentication Modules l
ii libpango1.0-0 1.4.0-4 Layout and rendering of internatio
ii libpopt0 1.7-4 lib for parsing cmdline parameters
ii librsvg2-2 2.7.2-2 SAX-based renderer library for SVG
ii libselinux1 1.14-1 SELinux shared libraries
ii libsm6 4.3.0.dfsg.1-6 X Window System Session Management
ii libwrap0 7.6.dbs-4 Wietse Venema's TCP wrappers libra
ii libx11-6 4.3.0.dfsg.1-6 X Window System protocol client li
ii libxext6 4.3.0.dfsg.1-6 X Window System miscellaneous exte
ii libxml2 2.6.10-3 GNOME XML library
ii metacity [x-window-manage 1:2.8.1-3 A lightweight GTK2 based Window Ma
ii rxvt [x-terminal-emulator 1:2.6.4-6 VT102 terminal emulator for the X
ii twm [x-window-manager] 4.3.0.dfsg.1-6 Tab window manager
ii xbase-clients 4.3.0.dfsg.1-6 miscellaneous X clients
ii xlibs 4.3.0.dfsg.1-6 X Window System client libraries m
ii xterm [x-terminal-emulato 4.3.0.dfsg.1-6 X terminal emulator
ii zlib1g 1:1.2.1.1-3 compression library - runtime
-- debconf information:
gdm/daemon_name: /usr/bin/gdm
shared/default-x-display-manager: gdm
---------------------------------------
Received: (at 259173-close) by bugs.debian.org; 30 Aug 2004 05:24:27 +0000
>From katie@ftp-master.debian.org Sun Aug 29 22:24:27 2004
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1C1eeY-0003Sa-00; Sun, 29 Aug 2004 22:24:26 -0700
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1C1eXr-0005kE-00; Mon, 30 Aug 2004 01:17:31 -0400
From: Ryan Murray <rmurray@debian.org>
To: 259173-close@bugs.debian.org
X-Katie: $Revision: 1.51 $
Subject: Bug#259173: fixed in gdm 2.6.0.4-1
Message-Id: <E1C1eXr-0005kE-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Mon, 30 Aug 2004 01:17:31 -0400
Delivered-To: 259173-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
X-CrossAssassin-Score: 4
Source: gdm
Source-Version: 2.6.0.4-1
We believe that the bug you reported is fixed in the latest version of
gdm, which is due to be installed in the Debian FTP archive:
gdm_2.6.0.4-1.diff.gz
to pool/main/g/gdm/gdm_2.6.0.4-1.diff.gz
gdm_2.6.0.4-1.dsc
to pool/main/g/gdm/gdm_2.6.0.4-1.dsc
gdm_2.6.0.4-1_i386.deb
to pool/main/g/gdm/gdm_2.6.0.4-1_i386.deb
gdm_2.6.0.4.orig.tar.gz
to pool/main/g/gdm/gdm_2.6.0.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 259173@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ryan Murray <rmurray@debian.org> (supplier of updated gdm package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 29 Aug 2004 21:45:36 -0700
Source: gdm
Binary: gdm
Architecture: source i386
Version: 2.6.0.4-1
Distribution: unstable
Urgency: medium
Maintainer: Ryan Murray <rmurray@debian.org>
Changed-By: Ryan Murray <rmurray@debian.org>
Description:
gdm - GNOME Display Manager
Closes: 248263 258213 258933 259173 261786 262625 265101 266734 267146
Changes:
gdm (2.6.0.4-1) unstable; urgency=medium
.
* New upstream release (closes: #258213)
* When XKeepsCrashing uses whiptail, pass --scrolltext (closes: #248263)
* Fix case typo in slave.c (closes: #259173)
* Use invoke-rc.d in prerm (closes: #262625)
* Don't export LANG in /etc/default/gdm (closes: #265101)
* Move libexecdir to /usr/lib/gdm (closes: #266734)
* Keep stderr open across some execs so error messages make it to the log
(closes: #261786)
* Update de.po, es.po (closes: #258933, #267146)
Files:
073d54c302a1f94b7dae36dd035f1733 719 gnome optional gdm_2.6.0.4-1.dsc
8abac4da9cdaa21ca0a0bd03a42a7e19 5310026 gnome optional gdm_2.6.0.4.orig.tar.gz
bc935bf6878dcf45b8fe6c5b59086fb0 58047 gnome optional gdm_2.6.0.4-1.diff.gz
bba9df0f5b4315ab3a06268dd3cc0715 2976852 gnome optional gdm_2.6.0.4-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFBMrLxN2Dbz/1mRasRAso1AJ9ygl36vnO4LGVfdHBg7ct+P+axkgCgpAGW
LVRaRHRZjypp3QW9aNvg7Oc=
=arzk
-----END PGP SIGNATURE-----