Bug 6958 - System administrator can't unlock Gnome screensaver in ThinLinc session on SLE12SP2
Summary: System administrator can't unlock Gnome screensaver in ThinLinc session on SL...
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: VSM Agent (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: MediumPrio
Assignee: Pierre Ossman
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-04-21 14:52 CEST by Karl Mikaelsson
Modified: 2022-06-20 15:54 CEST (History)
2 users (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Karl Mikaelsson cendio 2017-04-21 14:52:27 CEST 
Scenario:

 * ThinLinc 4.8.0-5431.r32425 (Jenkins, pre-release)
 * SLE 12 SP2 with Workstation Extension

 1. Start a new ThinLinc session as root with the standard Gnome profile.
 2. Wait until the screensaver locks the screen
 3. Try to unlock the screensaver.

You will now get a warning under the password field that says that "System administrator is not allowed to remote login", and the field resets itself after 2-3 seconds. Entering the password before the form resets does not allow you to log in.

If the system has a restriction of this kind, we should ensure that we're bound by it when creating a ThinLinc session as well. In other words, the system administrator shouldn't be allowed to create a ThinLinc session with this setup.
Comment 1 Peter Åstrand cendio 2017-04-24 11:06:51 CEST 
See:
https://bugzilla.opensuse.org/show_bug.cgi?id=995062

The Suse "solution" was to document that GDM is required. Apparently, if you do not run GDM, the screensaver will never lock. This might also be a problem, but likely much less severe than the original one.

I do not think that we should obey GDM policies. The system might use something else, such as lightdm.

See also:
https://bugzilla.redhat.com/show_bug.cgi?id=960149
Comment 2 Pierre Ossman cendio 2017-04-25 13:44:14 CEST 
We'll need to check the exact criteria for when this triggers. Is it only root or is it everyone in the "wheel" group (or equivalent)?
Comment 3 Henrik Andersson cendio 2017-05-29 13:06:30 CEST 
There is a display manager sysconfig used to disable remote root logins on SUSE. See param DISPLAYMANAGER_ROOT_LOGIN_REMOTE in file /etc/sysconfig/displaymanager which is default set to "no". Changing this value to "yes" and restart gdm will allow root to unlock screensaver.

Also tested that a user who is member of wheel group is not affected, even if polkit rules is added to add wheel group users as admins.

  polkit.addAdminRule(function(action, subject) {
      return ["unix-group:wheel"];
  });
Note You need to log in before you can comment on or make changes to this bug.