Local users get to play root?

Adam Williamson awilliam at redhat.com
Thu Nov 19 20:11:40 UTC 2009


On Thu, 2009-11-19 at 09:02 -0800, Jesse Keating wrote:
> On Thu, 2009-11-19 at 10:32 -0600, Chris Adams wrote:
> > Once upon a time, Jesse Keating <jkeating at redhat.com> said:
> > > That is incorrect, unless somehow your ssh tunneled VNC registers as
> > > "local console login", which I doubt.  In your case, none of your users
> > > would be allowed to install software/updates.
> > 
> > VNC looks like a local console login.
> > -- 
> > Chris Adams <cmadams at hiwaay.net>
> > Systems and Network Administrator - HiWAAY Internet Services
> > I don't speak for anybody but myself - that's enough trouble.
> > 
> 
> Not according to what I'm being told by the Desktop folks, at least as
> far as PolicyKit and ConsoleKit are concerned.
> 
> <Oxf13> hrm, in the world of PolicyKit and ConsoleKit, does a VNC login
> look like a "console" login for the sake of policy?
> <hughsie> Oxf13: no
> <hughsie> if you log in, then start remote desktop, and then allow other
> users to connect then it does
> <hughsie> if you're just using vnc to create a virtual desktop for users
> then it's not on_console, so to speak

however, see:

https://bugzilla.redhat.com/show_bug.cgi?id=534047#c179

which points out that one could use x11vnc to exploit this method. As
x11vnc's page says:

"x11vnc allows one to view remotely and interact with real X displays
(i.e. a display corresponding to a physical monitor, keyboard, and
mouse) with any VNC viewer."

certainly seems to fit the bill. the bugzilla comment notes that a
remote user could install a copy of x11vnc in his home directory and use
it to gain 'local console' access, there is no need to install it
systemwide.

-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Fedora Talk: adamwill AT fedoraproject DOT org
http://www.happyassassin.net




More information about the fedora-devel-list mailing list