| Main Archive Page > Month Archives > oss-security archives |
[oss-security] gdm PostLogin script executes scripts as user gdm
From: Thomas Biege <thomas_at_nospam>Date: Tue Feb 22 2011 - 16:31:05 GMT
To: oss-security@lists.openwall.com
Hello oss-security,
should we consider this as a vulnerability?
https://bugzilla.gnome.org/show_bug.cgi?id=602403
cite:
------------------------------------------------------------------------------
ericlesoll [reporter] 2009-11-19 13:00:11 UTC
on Ubuntu Karmic Koala and Fedora 12
After a fresh install on some machines and update from Jaunty on another one,
we can't catch $USER $USERNAME $LOGNAME
from /etc/gdm/PostLogin/Default, we get "gdm" for all variables instead of real
login name. It was working since 7.04 version.
If in a terminal we run : echo $USER, we get the real login name.
example below :
If I put those 3 lines in /etc/gdm/PostLogin/Default:
echo $USER > /tmp/aaa.txt
echo $USERNAME >> /tmp/aaa.txt
echo $LOGNAME >> /tmp/aaa.txt
after every login I get this result:
$ cat /tmp/aaa.txt
gdm
gdm
gdm
I would expect to get my real login name in those 3 variables instead of "gdm",
which is of no use to take specific action based on which user is logging in.
This was working as expected with at least the 3 previous versions of Ubuntu.
------------------------------------------------------------------------------
Cheers,
Thomas
-- Thomas Biege <thomas@suse.de>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- Wer aufhoert besser werden zu wollen, hoert auf gut zu sein. -- Marie von Ebner-Eschenbach