! Please note that this is a snapshot of our old Bugzilla server, which is read only since May 29, 2020. Please go to gitlab.xfce.org for our new server !
Can't shut down when halt/reboot have suid bit
Status:
CLOSED: INVALID
Product:
Xfce4-session
Component:
General

Comments

Description punkrockguy318 2004-10-27 00:26:46 CEST
When a the shutdown and halt binaries have the +s bit, they are allowed to be
run as users.  The shutdown program only looks if the user can sudo
shutdown/sudo reboot.  The shutdown program should also work if the +s bit is
set on the halt/reboot binaries.
Comment 1 Tim Tassonis 2004-11-03 17:19:30 CET
(In reply to comment #0)
> When a the shutdown and halt binaries have the +s bit, they are allowed to be
> run as users.  The shutdown program only looks if the user can sudo
> shutdown/sudo reboot.  The shutdown program should also work if the +s bit is
> set on the halt/reboot binaries.

The ability to reboot/halt from xfce should be disabled altoghether. It belongs
to the display manager, where you are not logged in. If you can call it from the
logged in user session, any Trojan can do as well. There is no need to make the
same mistakes as Windows. It's really not that inconvenient to do this from the
Display Manager, after having logged out first.
If someone really needs to reboot directly out of xfce, he can write an
additional program (or have it written), but xfce should not propagate this
wrong behaviour.
Comment 2 Benedikt Meurer editbugs 2004-11-05 21:55:28 CET
(In reply to comment #0)
> When a the shutdown and halt binaries have the +s bit, they are allowed to be
> run as users.  The shutdown program only looks if the user can sudo
> shutdown/sudo reboot.  The shutdown program should also work if the +s bit is
> set on the halt/reboot binaries.

Read the section 'Shutting down your computer using the session manager' in
xfce4-session/README.
Comment 3 Benedikt Meurer editbugs 2004-11-05 21:58:12 CET
(In reply to comment #1)
> The ability to reboot/halt from xfce should be disabled altoghether. It belongs
> to the display manager, where you are not logged in. If you can call it from the
> logged in user session, any Trojan can do as well. There is no need to make the
> same mistakes as Windows. It's really not that inconvenient to do this from the
> Display Manager, after having logged out first.
> If someone really needs to reboot directly out of xfce, he can write an
> additional program (or have it written), but xfce should not propagate this
> wrong behaviour.

You don't need to install/setup sudo if you are afraid of trojans shutting
down/rebooting your computer.
Comment 4 Benedikt Meurer editbugs 2004-11-05 22:20:18 CET
And on a side note: If a trojan shuts down your computer, this is caused by
misconfiguring sudo, not Xfce's fault after all.
Comment 5 Tim Tassonis 2004-11-10 13:13:41 CET
(In reply to comment #4)
> And on a side note: If a trojan shuts down your computer, this is caused by
> misconfiguring sudo, not Xfce's fault after all.

I know it's not xfce's fault, I just think xfce4 should not support it and
advise people to first log out and then reboot. You could also add a reboot menu
item in a web browser that only works with properly configured systems, but I
think it does not belong there. Before you think I'm being silly: I've seen CD
burning programs with a shutdown option after burning option has completed. Ca
be very useful as well, if you happen to want to shutdown, but doesn't belong
into a CD burning suite.
I prefer a clean design to being able to do everything from everywhere, anytime.

Comment 6 Benedikt Meurer editbugs 2004-11-10 15:48:59 CET
(In reply to comment #5)
> I know it's not xfce's fault, I just think xfce4 should not support it and
> advise people to first log out and then reboot. You could also add a reboot menu
> item in a web browser that only works with properly configured systems, but I
> think it does not belong there. Before you think I'm being silly: I've seen CD
> burning programs with a shutdown option after burning option has completed. Ca
> be very useful as well, if you happen to want to shutdown, but doesn't belong
> into a CD burning suite.
> I prefer a clean design to being able to do everything from everywhere, anytime.

Honestly, comparing a webbrowser/cd burning app to a session manager sounds like
comparing apples and eggs to me.

Try to see it this way: A Display Manager manages a X display and a Session
Manager manages a X session. Both are considered desktop services (not desktop
applications like e.g. a webbrowser). Now at some time in history, one thought
of an idea 'Hey lets include a shutdown option in the GNOME display manager' and
voila, gdm now offers a shutdown option, which is by the way _enabled_ by
default in most installations. In a similar way, we added a shutdown option to
xfce4-session, which is _disabled_ by default. I don't see why its valid for a
display manager to have a shutdown option, but why its not ok for a session
manager? The functionality is very useful, esp. for users like me, who use plain
XDM (which doesn't include a shutdown option... oh, wait, what was the excuse
for GDM to have a shutdown option?). xfce4-session's shutdown option is disabled
by default (if the admin hadn't messed with sudo earlier) and the admin/user
need to explicitly enable it, so he/she should be aware of what he's doing; if
he/she's not... I'm sorry, but we don't sell brains this year...).

On the `clean design': The current shutdown helper design is very good IMHO.
Instead of reinventing the wheel in a critical area, we use the well known and
well established security tool sudo. xfce4-session offers no suid programs and
therefore critical a bug in xfce4-session affects only the stability of the
users session and/or the users data, but not the system state in any way. Thats
up to sudo and the admin; if he/she misconfigures sudo, its not Xfce's fault and
you cannot blame it on Xfce, because Xfce neither requires sudo to work properly
nor does it encourage users/admins to use it. Its an option, which is -
surprise, surprise - highly optional.

Not supporting an option, which is disabled by default and requires explicit
activation, just because the user could should himself into the foot is a really
useless argument. This way we wouldn't have cars today, not even fire.
Comment 7 Brian J. Tarricone (not reading bugmail) 2004-11-14 00:37:35 CET
further, you can leave sudo set up to require a password, and xfce4-session will
prompt you for one.  if a user wants to set it up so they can shut down their
machine passwordless via xfce, then they have to explicitly do so.  essentially,
we're giving the user the power to do whatever they want to do, but, in true
unix tradition, if you screw it up, you get to keep the pieces.  as benny has
stressed, this functionality is disabled by default, so there's no harm done if
you don't use it.

*** at any rate, this is a bug tracker, not a discussion forum.  if you still
have problems with how xfce4-session handles shutdown, i suggest you move this
to the xfce4-dev list. this is about fixing bugs, not bitching about things you
don't like about xfce. ***

Bug #417

Reported by:
punkrockguy318
Reported on: 2004-10-27
Last modified on: 2009-07-14

People

Assignee:
Benedikt Meurer
CC List:
0 users

Version

Attachments

Additional information