FS#17157 - [kdebase-workspace] kdm allows logins even if shell is set to /sbin/nologin

Attached to Project: Arch Linux
Opened by Caleb Cushing (xenoterracide) - Monday, 16 November 2009, 03:13 GMT
Last edited by Andrea Scarpino (BaSh) - Tuesday, 16 October 2012, 07:06 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Ronald van Haren (pressh)
Andrea Scarpino (BaSh)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

I thought I disabled an account by setting the shell to /sbin/nologin and I tried /bin/false. I also tried usermod --expiredate 1 . with all of these I was still able to log in to this user. the only way I found to do it was to set passwd -l username (which locks the passwd). my concern is what if an autologin or no passwd was set? and a lot of people will simply set a users shell to /bin/false (etc) and it won't actually stop a graphical login.
This task depends upon

Closed by  Andrea Scarpino (BaSh)
Tuesday, 16 October 2012, 07:06 GMT
Reason for closing:  Fixed
Additional comments about closing:  kdebase-workspace 4.9.2-4
Comment by Andrea Scarpino (BaSh) - Monday, 16 November 2009, 10:56 GMT
  • Field changed: Summary (kdm allows logins even if shell is set to /sbin/nologin → [kdebase-workspace] kdm allows logins even if shell is set to /sbin/nologin)
  • Field changed: Status (Unconfirmed → Assigned)
  • Field changed: Severity (High → Medium)
  • Task assigned to Andrea Scarpino (BaSh), Pierre Schmitz (Pierre)
I don't think this is a bug, and if it is, is an upstream bug.
you should disable users from System Settings->Login Manager->Users
Comment by Caleb Cushing (xenoterracide) - Monday, 16 November 2009, 19:11 GMT
I already did file an upstream bug. https://bugs.kde.org/show_bug.cgi?id=214616
Comment by Caleb Cushing (xenoterracide) - Monday, 16 November 2009, 19:13 GMT
I shouldn't have to disable an account in more than 1 way to disable it across the board.
Comment by Caleb Cushing (xenoterracide) - Monday, 16 November 2009, 19:40 GMT
who provides the pam file(s) for kde? arch or kde? or ? either way I think it's those that need to patched.
Comment by Caleb Cushing (xenoterracide) - Wednesday, 18 November 2009, 05:55 GMT
attaching a rewritten /etc/pam.d/kde which is much saner than the current one and shouldn't cause a system's legitimate users heartache. this is mostly based on pam.d/login according to kde dev the pam file is generate on what it thinks are sane defaults based on some existing thing... at build time. I don't find these defaults sane or secure, so I think arch should provide its own.
   kde (0.4 KiB)
Comment by Gerardo Exequiel Pozzi (djgera) - Wednesday, 20 January 2010, 04:21 GMT
any decision on this for next kde-4.4?
Comment by Thomas Dziedzic (tomd123) - Saturday, 03 July 2010, 19:16 GMT
status of this?
Comment by Pierre Schmitz (Pierre) - Saturday, 03 July 2010, 19:25 GMT
Depends on  FS#17188  I guess.
Comment by Jelle van der Waa (jelly) - Wednesday, 08 August 2012, 18:47 GMT
Since the depends has been, can we close this bug?
Comment by Andrea Scarpino (BaSh) - Tuesday, 11 September 2012, 07:41 GMT
No, I've to update the kde pam modules to use pam-base.

Loading...