-
Notifications
You must be signed in to change notification settings - Fork 20
Security
You should under no circumstances enable pamusb and XDMCP at the same time. Most graphical login managers are whitelisted and will not be checked for "remoteness" since issue #51 was fixed. This means if you enable XDMCP and have a usb device for an already configured user attached anyone connecting to your X-Server could login as that user!
I repeat, UNDER NO CIRCUMSTANCES ENABLE PAMUSB AND XDMCP AT THE SAME TIME! Don't say you haven't be warned if someone "hacks" your system because of this.
Note: you shouldn't use XDMCP these days anyway...
In the past there have been ways to circumvent the local check (see issue #51 and also the "cup of tee"). I'm confident that all known ways are fixed now. But I need to underline "known"... I'm no security expert and it's very well possible that there are still ways to circumvent the checks.
Kudos to @Fuseteam for extensive testing, breaking and reporting.
It's not possible to detect the proper session tty in all cases when using PolicyKit. So it was whitelisted in issue #75. This means pkexec calls will never be checked for "remoteness"!
Of course all of that would require the attacker to have gained access to an already configured user in which case you most likely have other problems anyway.