Hiding Shutdown/reboot in logout dialog and possible security issue

Israel israeldahl at gmail.com
Thu Jul 10 22:01:32 UTC 2014 

Hi Anders,
I still think what you are looking for is SLiM
https://en.wikipedia.org/wiki/SLiM
Please check this out.  You can use SLiM instead of LightDM.
There were no logout, or shutdown buttons present the last time I used
it in Debian Wheezy
And it provides a lighter login.
Of course, you could remove LightDM and setup your computer to run
startx (or whatever specific startup script Lubuntu uses... I can't
remember off the top of my head) instead :)

On 07/10/2014 03:12 PM, Anders Bruun Olsen wrote:
> Hi Nio,
>
> The problem with going to the "real server guys" is that terminal
> servers are sort of halfway between the server/desktop divide, so some
> things fall on the desktop side, and some on the server side. This
> specific issue is how to get lxsession-logout to not show the
> shutdown/reboot buttons, which I would deem to belong on the desktop
> side of things. I may need to try the LXDE guys directly if nobody is
> able to help here. I just thought I would try the distro specific
> mailing list before going to the program specific one :)
>
>
> 2014-07-10 18:13 GMT+02:00 Nio Wiklund <nio.wiklund at gmail.com
> <mailto:nio.wiklund at gmail.com>>:
>
>     Hi Anders,
>
>     You can also ask in the Server Platforms Forum at
>
>     http://ubuntuforums.org/forumdisplay.php?f=339
>
>     where some real server guys will probably help you.
>
>     Best regards/Nio
>
>     2014-07-10 16:07, Anders Bruun Olsen skrev:
>     > Hi,
>     >
>     > Ehm.. a graphical desktop environment is sort of the point of a
>     terminal
>     > server. It provides remote desktops to users. It isn't for running a
>     > graphical desktop on a locally attached screen :)
>     > The issue here is two-fold:
>     >
>     > 1. If the graphical login-manager (lightdm) is running, all
>     users who
>     > login to a desktop remotely can shut down the entire machine.
>     This is
>     > not a good thing, but can be circumvented by killing off
>     lightdm. This
>     > is fine when you use something like Nomachine, which takes care of
>     > spinning up a desktop session. But with LTSP you would probably
>     run into
>     > problems, since it depends on having a DM handling login and
>     spinning up
>     > desktop sessions. Although lightdm may be intelligent enough to
>     actually
>     > know when users are remote on LTSP, and will refuse to allow them to
>     > shutdown the machine without proper rights. This may be a
>     none-issue for
>     > LTSP. I don't use LTSP, so I can't say for sure. With Nomachine
>     it is an
>     > issue.
>     >
>     > 2. Users can get confused when sitting in front of a thin client
>     running
>     > the nomachine client. They want to shut down for the day and
>     choose the
>     > shutdown menu on their Lubuntu desktop. Here the correct process
>     is to
>     > choose logout and then shut down the thin client when logout has
>     > happened. But users don't usually think about the fact that this
>     > connects to a remote desktop, so pressing the shutdown button in the
>     > shutdown menu seems logical. They want to shut down their local
>     machine.
>     > Unfortunately that button is meant to shut down the terminal server.
>     > When that does not work (they get the "access denied" message), most
>     > users get confused and go ask it-support for help. I just want to
>     > prevent this confusion, if possible :)
>     >
>     >
>     >
>     > 2014-07-10 14:53 GMT+02:00 Nio Wiklund <nio.wiklund at gmail.com
>     <mailto:nio.wiklund at gmail.com>
>     > <mailto:nio.wiklund at gmail.com <mailto:nio.wiklund at gmail.com>>>:
>     >
>     >     2014-07-10 14:21, Anders Bruun Olsen skrev:
>     >     > Hi,
>     >     >
>     >     > I am looking to build a new terminal server for remote
>     desktops which
>     >     > will be accessed through NoMachine Enterprise. Lubuntu and
>     LXDE looks
>     >     > like a nice fit, but I have run into a couple of issues.
>     >     >
>     >     > I have a default install of Lubuntu 14.04 64-bit. I have
>     created a
>     >     > non-privileged user (no sudo rights). I have also
>     installed NoMachine
>     >     > Enterprise Server. First thing I discovered was what I would
>     >     almost call
>     >     > a security issue. When my non-privileged user is logged in
>     remotely
>     >     > (with Nomachine Enterprise Client), choosing shutdown in
>     the logout
>     >     > dialog actually does shut down the server. How can this
>     user shut down
>     >     > the server, without root access? I found out, that if I
>     ensure lightdm
>     >     > isn't running (nobody will login locally), my unprivileged
>     user can't
>     >     > shut down the server, but will be asked for the password to a
>     >     privileged
>     >     > user, so I guess this is an issue with lightdm. Is this really
>     >     intended
>     >     > behavior?
>     >
>     >     I think it is made for desktop installation, where any user
>     should be
>     >     able to shut down the computer. But it is not suitable for a
>     server. I'm
>     >     glad you found a way to stop shutting it down with superuser
>     privileges.
>     >
>     >     But, many people will discourage the use of a graphical desktop
>     >     environment for a server. Do you really need it? Or maybe a
>     simple
>     >     window manager like Openbox or Fluxbox would do?
>     >
>     >     >
>     >     > Next up, I would like to hide the shutdown and reboot
>     buttons in the
>     >     > logout dialog. The only way I have been able to find by
>     searching,
>     >     is to
>     >     > actually change the source code for lxsession-logout and
>     recompile. Is
>     >     > there really no other way to hide those buttons?
>     >
>     >     Sorry, I don't know this, but think other people can help
>     you with it.
>     >
>     >     > --
>     >     > Anders Bruun Olsen
>     >     > It-ansvarlig
>     >     > Det Danske Sprog- og Litteraturselskab
>     >     > (Society for Danish Language and Literature)
>     >     >
>     >     >
>     >
>     >
>     >     --
>     >     Lubuntu-users mailing list
>     >     Lubuntu-users at lists.ubuntu.com
>     <mailto:Lubuntu-users at lists.ubuntu.com>
>     <mailto:Lubuntu-users at lists.ubuntu.com
>     <mailto:Lubuntu-users at lists.ubuntu.com>>
>     >     Modify settings or unsubscribe at:
>     >     https://lists.ubuntu.com/mailman/listinfo/lubuntu-users
>     >
>     >
>     >
>     >
>     > --
>     > Anders Bruun Olsen
>     > It-ansvarlig
>     > Det Danske Sprog- og Litteraturselskab
>     > (Society for Danish Language and Literature)
>
>
>
>
> -- 
> Anders Bruun Olsen
> It-ansvarlig
> Det Danske Sprog- og Litteraturselskab
> (Society for Danish Language and Literature)
>
>


-- 
Regards

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/lubuntu-users/attachments/20140710/7e128d78/attachment.html>

More information about the Lubuntu-users mailing list