Bug#1117664: marked as done (lightdm: Per default it is possible to login as user root graphically)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 11 Oct 2025 16:07:06 +0200
with message-id <938c3318ca0b0aa5e7a23b474da72bb61240a591.camel@debian.org>
and subject line Re: Bug#1117664: lightdm: Per default it is possible to login as user root graphically
has caused the Debian Bug report #1117664,
regarding lightdm: Per default it is possible to login as user root graphically
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1117664: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117664
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: lightdm: Per default it is possible to login as user root graphically
• From: Rolf Heinrichs <rolf.o1.heinrichs@gmx.net>
• Date: Thu, 09 Oct 2025 13:57:33 +0200
• Message-id: <[🔎] 176001105301.2179.18403774381792036896.reportbug@rh055.lan.beiHeinrichs>

Package: lightdm
Version: 1.32.0-6+b2
Severity: grave
Tags: patch
Justification: user security hole
X-Debbugs-Cc: rolf.o1.heinrichs@gmx.net

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?

	Test due to a user forum entry if a graphical root login is possible.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

	Select username root and the root password

   * What was the outcome of this action?

	I could login as root and get a graphical desktop.

   * What outcome did you expect instead?

	That root login was denied. 

	When the file /etc/pam.d/ligthdm is patched with the lines 

	# Comment out if graphical root acces shall be granted 
	auth required pam_succeed_if.so user != root quiet
	
	past line 4 of the existing file root access is denied with the message "wrong password"


*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 13.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.48+deb13-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages lightdm depends on:
ii  adduser                                3.152
ii  dbus                                   1.16.2-2
ii  debconf [debconf-2.0]                  1.5.91
ii  libaudit1                              1:4.0.2-2+b2
ii  libc6                                  2.41-12
ii  libgcrypt20                            1.11.0-7
ii  libglib2.0-0t64                        2.84.4-3~deb13u1
ii  libpam-systemd [logind]                257.8-1~deb13u2
ii  libpam0g                               1.7.0-5
ii  libxcb1                                1.17.0-2+b1
ii  libxdmcp6                              1:1.1.5-1
ii  lightdm-gtk-greeter [lightdm-greeter]  2.0.9-1

Versions of packages lightdm recommends:
ii  xserver-xorg  1:7.7+24

Versions of packages lightdm suggests:
ii  accountsservice  23.13.9-7
ii  upower           1.90.9-1
pn  xserver-xephyr   <none>

-- debconf information:
  lightdm/daemon_name: /usr/sbin/lightdm
* shared/default-x-display-manager: lightdm

Regards, Rolf

--- End Message ---

--- Begin Message ---

• To: Rolf Heinrichs <rolf.o1.heinrichs@gmx.net>, 1117664-done@bugs.debian.org
• Subject: Re: Bug#1117664: lightdm: Per default it is possible to login as user root graphically
• From: Yves-Alexis Perez <corsac@debian.org>
• Date: Sat, 11 Oct 2025 16:07:06 +0200
• Message-id: <938c3318ca0b0aa5e7a23b474da72bb61240a591.camel@debian.org>
• In-reply-to: <[🔎] 176001105301.2179.18403774381792036896.reportbug@rh055.lan.beiHeinrichs>
• References: <[🔎] 176001105301.2179.18403774381792036896.reportbug@rh055.lan.beiHeinrichs>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

control: tag -1 wontfix

On Thu, 2025-10-09 at 13:57 +0200, Rolf Heinrichs wrote:
>    * What led up to the situation?
> 
> 	Test due to a user forum entry if a graphical root login is
> possible.
> 
>    * What exactly did you do (or not do) that was effective (or
>      ineffective)?
> 
> 	Select username root and the root password
> 
>    * What was the outcome of this action?
> 
> 	I could login as root and get a graphical desktop.
> 
>    * What outcome did you expect instead?
> 
> 	That root login was denied. 
> 
> 	When the file /etc/pam.d/ligthdm is patched with the lines 
> 
> 	# Comment out if graphical root acces shall be granted 
> 	auth required pam_succeed_if.so user != root quiet
> 	
> 	past line 4 of the existing file root access is denied with the
> message "wrong password"

Hi Rolf, thank your for your bug report. 

That beeing said, I don't see a bug here. I don't think anyone says root login
was disabled on standard Debian boxes. If you don't want that then you indeed
have to configure that yourself.

Regards,
- -- 
Yves-Alexis
-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAmjqZIsACgkQ3rYcyPpX
RFtuYwgAoK0YVB/R7OIJ3UK5uQTDXSyP5yjSRwRvIY+S+tm08AsncxNf4zCJqwke
JLxN+VWxuB1oQR7surV/ebljJBSgK8XYoPbUAcLTilusSnVs5VzeWK182uOfKBP5
7uVE1Hail+Nj72c+rBIDHB1xMHP5ys+noqBCYMowPooB/yjwgKrhbUCKuyvkhcpC
0x4W0HBcDh09Tf9xvugexVHlGzaQv742bxn7m9muQG4vQDvqKiRymKuCe80sg8X8
Ru010oF99XmJNLafqQ7CQvCK+0f0iwR3+06JIPOmmk1Ztab+Y5d0MqIP08OA6nC7
krpaMMwQD6Jb4scEMp5J/6ML7J6AmA==
=BWY0
-----END PGP SIGNATURE-----

--- End Message ---