Bug 7148 - Shadower is allowed to terminate user session
Summary: Shadower is allowed to terminate user session
Status: NEW
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: VSM Agent (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: LowPrio
Assignee: Pierre Ossman
Depends on:
Reported: 2018-04-16 13:16 CEST by Henrik Andersson
Modified: 2019-12-17 13:00 CET (History)
1 user (show)

See Also:
Acceptance Criteria:


Description Henrik Andersson cendio 2018-04-16 13:16:16 CEST
I found a test case described as:

 Tests that shadowers are allowed to kill other users' sessions

and verified that handler_killsession.py actually allows this.

It sound very strange that a shadower should be given any other XML-RPC access
than shadow_session.
Comment 1 Henrik Andersson cendio 2018-04-16 13:18:31 CEST
Pierre thinks its related to some kind of administrator functionality, eg. kill session using session list dialog upon shadowing. However, this dialog is only shown under certain circumstances.

Note You need to log in before you can comment on or make changes to this bug.