Hiding Shutdown/reboot in logout dialog and possible security issue

[Nio Wiklund]

2014-07-10 14:21, Anders Bruun Olsen skrev:
> Hi,
> 
> I am looking to build a new terminal server for remote desktops which
> will be accessed through NoMachine Enterprise. Lubuntu and LXDE looks
> like a nice fit, but I have run into a couple of issues.
> 
> I have a default install of Lubuntu 14.04 64-bit. I have created a
> non-privileged user (no sudo rights). I have also installed NoMachine
> Enterprise Server. First thing I discovered was what I would almost call
> a security issue. When my non-privileged user is logged in remotely
> (with Nomachine Enterprise Client), choosing shutdown in the logout
> dialog actually does shut down the server. How can this user shut down
> the server, without root access? I found out, that if I ensure lightdm
> isn't running (nobody will login locally), my unprivileged user can't
> shut down the server, but will be asked for the password to a privileged
> user, so I guess this is an issue with lightdm. Is this really intended
> behavior?

I think it is made for desktop installation, where any user should be
able to shut down the computer. But it is not suitable for a server. I'm
glad you found a way to stop shutting it down with superuser privileges.

But, many people will discourage the use of a graphical desktop
environment for a server. Do you really need it? Or maybe a simple
window manager like Openbox or Fluxbox would do?

> 
> Next up, I would like to hide the shutdown and reboot buttons in the
> logout dialog. The only way I have been able to find by searching, is to
> actually change the source code for lxsession-logout and recompile. Is
> there really no other way to hide those buttons?

Sorry, I don't know this, but think other people can help you with it.

> -- 
> Anders Bruun Olsen
> It-ansvarlig
> Det Danske Sprog- og Litteraturselskab
> (Society for Danish Language and Literature)
> 
>