gdm allows shutdown when other accounts open

Unmarking this as a security bug since someone with physical access can turn off the machine via other methods. From https://wiki.ubuntu.com/SecurityTeam/Policies#Reasonable%20Physical%20Access: "While every attempt is made to securely isolate physically local users of a shared computer from one another, the stock Ubuntu installation is not intended to block an attacker with physical access."

Why is it a foregone conclusion that all users will have physical access to more than a dumb terminal?
Is this Microsoft Windows or something?

--- On Fri, 9/3/10, Jamie Strandboge <email address hidden> wrote:

From: Jamie Strandboge <email address hidden>
Subject: [Bug 618513] Re: gdm allows shutdown when other accounts open
To: <email address hidden>
Date: Friday, September 3, 2010, 4:39 PM

Unmarking this as a security bug since someone with physical access can
turn off the machine via other methods. From
https://wiki.ubuntu.com/SecurityTeam/Policies#Reasonable%20Physical%20Access:
"While every attempt is made to securely isolate physically local users
of a shared computer from one another, the stock Ubuntu installation is
not intended to block an attacker with physical access."

** This bug is no longer flagged as a security vulnerability

--
gdm allows shutdown when other accounts open
https://bugs.launchpad.net/bugs/618513
You received this bug notification because you are a direct subscriber
of the bug.

Status in “gdm” package in Ubuntu: New

Bug description:
Binary package hint: gdm

00] Environment -  two users logged in. There is a dedicated root-user account, with a dedicated password, and the other users have NO sudoer privileges.
01] User#1 request to shut down the machine using gnome panel applet
02] response is a black screen with authorization window requiring password (picture of keys on left side) and warning that another user is logged in.
[[  BTW  ### Nothing in the message states which of the three passwords are being requested!  ]]
03] Each of the three passwords are tried at least once
[[  BTW  ### None of the passwords are REPORTED to have been accepted   ]]
04] After a final shudder and claim that the password could NOT be authenticated, the authentication window disappears, and the GDM greeter screen appears.
[[  HUH?!  Did it just 'give up', or did it mis-report a proper password authentification as improper? If so, which password?  ]]
05] The GDM greeter allows the computer to be shut down using the button on the right side of the lower panel.
[[ But this happedned without authentification !! ]]

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: gdm 2.30.2.is.2.30.0-0ubuntu3 [modified: usr/share/gdm/gdm-greeter-login-window.ui]
ProcVersionSignature: Ubuntu 2.6.32-24.39-hostname 2.6.32.15+drm33.5
Uname: Linux 2.6.32-24-generic i686
Architecture: i386
Date: Mon Aug 16 01:07:03 2010
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release i386 (20100429)
ProcEnviron:
 LANG=en_US.utf8
 SHELL=/bin/bash
SourcePackage: gdm

To unsubscribe from this bug, go to:
https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/618513/+subscribe

Thank you for your bug report. The issue is an upstream one and it would be nice if somebody having it could send the bug the to the people writting the software (https://wiki.ubuntu.com/Bugs/Upstream/GNOME)

Thank you Sebastian. I just posted it on gnome bugzilla as Bug 629001

--- On Mon, 9/6/10, Sebastien Bacher <email address hidden> wrote:

From: Sebastien Bacher <email address hidden>
Subject: [Bug 618513] Re: gdm allows shutdown when other accounts open
To: <email address hidden>
Date: Monday, September 6, 2010, 8:21 AM

Thank you for your bug report. The issue is an upstream one and it would
be nice if somebody having it could send the bug the to the people
writting the software (https://wiki.ubuntu.com/Bugs/Upstream/GNOME)

** Changed in: gdm (Ubuntu)
   Importance: Undecided => Low

--
gdm allows shutdown when other accounts open
https://bugs.launchpad.net/bugs/618513
You received this bug notification because you are a direct subscriber
of the bug.

Status in “gdm” package in Ubuntu: New

Bug description:
Binary package hint: gdm

00] Environment -  two users logged in. There is a dedicated root-user account, with a dedicated password, and the other users have NO sudoer privileges.
01] User#1 request to shut down the machine using gnome panel applet
02] response is a black screen with authorization window requiring password (picture of keys on left side) and warning that another user is logged in.
[[  BTW  ### Nothing in the message states which of the three passwords are being requested!  ]]
03] Each of the three passwords are tried at least once
[[  BTW  ### None of the passwords are REPORTED to have been accepted   ]]
04] After a final shudder and claim that the password could NOT be authenticated, the authentication window disappears, and the GDM greeter screen appears.
[[  HUH?!  Did it just 'give up', or did it mis-report a proper password authentification as improper? If so, which password?  ]]
05] The GDM greeter allows the computer to be shut down using the button on the right side of the lower panel.
[[ But this happedned without authentification !! ]]

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: gdm 2.30.2.is.2.30.0-0ubuntu3 [modified: usr/share/gdm/gdm-greeter-login-window.ui]
ProcVersionSignature: Ubuntu 2.6.32-24.39-hostname 2.6.32.15+drm33.5
Uname: Linux 2.6.32-24-generic i686
Architecture: i386
Date: Mon Aug 16 01:07:03 2010
InstallationMedia: Ubuntu 10.04 LTS "Lucid Lynx" - Release i386 (20100429)
ProcEnviron:
 LANG=en_US.utf8
 SHELL=/bin/bash
SourcePackage: gdm

To unsubscribe from this bug, go to:
https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/618513/+subscribe

Thank you for taking the time to report this bug and helping to make Ubuntu better. The issue that you reported is one that should be reproducible with the live environment of the Desktop CD of the development release - Oneiric Ocelot. It would help us greatly if you could test with it so we can work on getting it fixed in the next release of Ubuntu. You can find out more about the development release at http://www.ubuntu.com/testing/ . Thanks again and we appreciate your help.

[Expired for gdm (Ubuntu) because there has been no activity for 60 days.]