7148 – Shadower is allowed to terminate user session

Bug 7148 - Shadower is allowed to terminate user session

Summary: Shadower is allowed to terminate user session

Status:	NEW

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	VSM Agent (show other bugs)
Version:	trunk
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	LowPrio
Assignee:	Pierre Ossman

URL:
Keywords:

Depends on:
Blocks:

Reported:	2018-04-16 13:16 CEST by Henrik Andersson
Modified:	2019-12-17 13:00 CET (History)
CC List:	1 user (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Henrik Andersson cendio

2018-04-16 13:16:16 CEST

I found a test case described as:

 Tests that shadowers are allowed to kill other users' sessions

and verified that handler_killsession.py actually allows this.

It sound very strange that a shadower should be given any other XML-RPC access
than shadow_session.

Comment 1 Henrik Andersson cendio

2018-04-16 13:18:31 CEST

Pierre thinks its related to some kind of administrator functionality, eg. kill session using session list dialog upon shadowing. However, this dialog is only shown under certain circumstances.

Note You need to log in before you can comment on or make changes to this bug.