Bug#1117664: lightdm: Per default it is possible to login as user root graphically

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1117664: lightdm: Per default it is possible to login as user root graphically
From: Rolf Heinrichs <rolf.o1.heinrichs@gmx.net>
Date: Thu, 09 Oct 2025 13:57:33 +0200
Message-id: <[🔎] 176001105301.2179.18403774381792036896.reportbug@rh055.lan.beiHeinrichs>
Reply-to: Rolf Heinrichs <rolf.o1.heinrichs@gmx.net>, 1117664@bugs.debian.org

Package: lightdm
Version: 1.32.0-6+b2
Severity: grave
Tags: patch
Justification: user security hole
X-Debbugs-Cc: rolf.o1.heinrichs@gmx.net

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?

	Test due to a user forum entry if a graphical root login is possible.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

	Select username root and the root password

   * What was the outcome of this action?

	I could login as root and get a graphical desktop.

   * What outcome did you expect instead?

	That root login was denied. 

	When the file /etc/pam.d/ligthdm is patched with the lines 

	# Comment out if graphical root acces shall be granted 
	auth required pam_succeed_if.so user != root quiet
	
	past line 4 of the existing file root access is denied with the message "wrong password"


*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 13.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.48+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lightdm depends on:
ii  adduser                                3.152
ii  dbus                                   1.16.2-2
ii  debconf [debconf-2.0]                  1.5.91
ii  libaudit1                              1:4.0.2-2+b2
ii  libc6                                  2.41-12
ii  libgcrypt20                            1.11.0-7
ii  libglib2.0-0t64                        2.84.4-3~deb13u1
ii  libpam-systemd [logind]                257.8-1~deb13u2
ii  libpam0g                               1.7.0-5
ii  libxcb1                                1.17.0-2+b1
ii  libxdmcp6                              1:1.1.5-1
ii  lightdm-gtk-greeter [lightdm-greeter]  2.0.9-1

Versions of packages lightdm recommends:
ii  xserver-xorg  1:7.7+24

Versions of packages lightdm suggests:
ii  accountsservice  23.13.9-7
ii  upower           1.90.9-1
pn  xserver-xephyr   <none>

-- debconf information:
  lightdm/daemon_name: /usr/sbin/lightdm
* shared/default-x-display-manager: lightdm

Regards, Rolf

Reply to:

Follow-Ups:
- Bug#1117664: marked as done (lightdm: Per default it is possible to login as user root graphically)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: Re: Bug#1117544: xfce4 [bookworm]: Doesn't always provide a polkit agent
Next by Date: Bug#1117664: marked as done (lightdm: Per default it is possible to login as user root graphically)
Previous by thread: Processed: Re: Bug#1117544: xfce4 [bookworm]: Doesn't always provide a polkit agent
Next by thread: Bug#1117664: marked as done (lightdm: Per default it is possible to login as user root graphically)
Index(es):
- Date
- Thread