Bug#1030262: gnome-control-center: User deleted via "gnome-control-center user-accounts" can still login
Timo Lindfors
timo.lindfors at iki.fi
Wed Feb 1 18:56:08 GMT 2023
Package: gnome-control-center
Version: 1:43.2-2
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: timo.lindfors at iki.fi, timo.lindfors at iki.fi, Debian Security Team <team at security.debian.org>
Steps to reproduce:
1) Run "gnome-control-center user-accounts"
2) Click "Unlock..."
3) Enter root password
4) Click "Add User..."
5) Enter "demo2" as Name and Username and click "Add".
6) Click "Remove User..."
7) Click "Delete" when prompted.
8) Logout
9) Select "Not listed?" and login as "demo2". Set the new password when prompted.
10) Hit the GUI key and type terminal, right click to access terminal preferences
11) Set the custom command in Unnamed/Command to /bin/bash
12) Start terminal
Expected results:
9) Login fails since the user has been deleted
Actual results:
9) Login succeeds even though the user was deleted from the UI.
More info:
This issue is particularly scary since both the settings application
and the login screen do not show the user after it has been
deleted. This gives the user the impression that the deletion actually
succeeded.
-- System Information:
Debian Release: bookworm/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-2-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages gnome-control-center depends on:
ii accountsservice 22.08.8-1+b1
ii apg 2.2.3.dfsg.1-5+b2
ii colord 1.4.6-2.1
ii desktop-base 12.0.2
ii desktop-file-utils 0.26-1
ii gnome-control-center-data 1:43.2-2
ii gnome-desktop3-data 43.1-1
ii gnome-settings-daemon 43.0-4
ii gsettings-desktop-schemas 43.0-1
ii libaccountsservice0 22.08.8-1+b1
ii libadwaita-1-0 1.2.1-2
ii libc6 2.36-8
ii libcairo2 1.16.0-7
ii libcolord-gtk4-1 0.3.0-3
ii libcolord2 1.4.6-2.1
ii libcups2 2.4.2-1+b2
ii libepoxy0 1.5.10-1
ii libfontconfig1 2.14.1-3
ii libgcr-base-3-1 3.41.1-1+b1
ii libgdk-pixbuf-2.0-0 2.42.10+dfsg-1+b1
ii libglib2.0-0 2.74.5-1
ii libgnome-bg-4-2 43.1-1
ii libgnome-bluetooth-ui-3.0-13 42.5-2
ii libgnome-desktop-4-2 43.1-1
ii libgnome-rr-4-2 43.1-1
ii libgnutls30 3.7.8-4
ii libgoa-1.0-0b 3.46.0-1
ii libgoa-backend-1.0-1 3.46.0-1
ii libgsound0 1.0.3-2
ii libgtk-3-0 3.24.36-2
ii libgtk-4-1 4.8.3+ds-1+b1
ii libgtop-2.0-11 2.40.0-2
ii libgudev-1.0-0 237-2
ii libibus-1.0-5 1.5.27-4
ii libkrb5-3 1.20.1-1
ii libmalcontent-0-0 0.11.0-3
ii libmm-glib0 1.20.4-1
ii libnm0 1.40.10-1
ii libnma-gtk4-0 1.10.6-1
ii libpango-1.0-0 1.50.12+ds-1
ii libpangocairo-1.0-0 1.50.12+ds-1
ii libpolkit-gobject-1-0 122-2
ii libpulse-mainloop-glib0 16.1+dfsg1-2+b1
ii libpulse0 16.1+dfsg1-2+b1
ii libpwquality1 1.4.5-1+b1
ii libsecret-1-0 0.20.5-3
ii libsmbclient 2:4.17.5+dfsg-1
ii libsnapd-glib-2-1 1.63-4
ii libudisks2-0 2.9.4-4
ii libupower-glib3 0.99.20-2
ii libwacom9 2.5.0-1
ii libx11-6 2:1.8.3-3
ii libxi6 2:1.8-1+b1
ii libxml2 2.9.14+dfsg-1.1+b3
ii webp-pixbuf-loader 0.0.5-5
Versions of packages gnome-control-center recommends:
ii cracklib-runtime 2.9.6-5+b1
ii cups-pk-helper 0.2.6-1+b1
ii gkbd-capplet 3.28.1-1
ii gnome-bluetooth-sendto 42.5-2
ii gnome-online-accounts 3.46.0-1
ii gnome-remote-desktop 43.3-1
ii gnome-user-docs 43.0-1
ii gnome-user-share 43.0-1
ii iso-codes 4.12.0-1
ii libcanberra-pulse 0.30-10
ii libnss-myhostname 252.4-2
ii libspa-0.2-bluetooth 0.3.65-1
ii malcontent-gui 0.11.0-3
ii network-manager-gnome 1.30.0-2
ii polkitd 122-2
ii power-profiles-daemon 0.12-1+b1
ii realmd 0.17.1-1
ii rygel 0.42.0-2
ii rygel-tracker 0.42.0-2
ii system-config-printer-common 1.5.18-1
Versions of packages gnome-control-center suggests:
ii gnome-software 43.3-1
pn gstreamer1.0-pulseaudio <none>
ii pkexec 122-2
ii x11-xserver-utils 7.7+9+b1
-- no debconf information
More information about the pkg-gnome-maintainers
mailing list