gdm PostLogin script executes scripts as user gdm

[Thomas Biege <thomas () suse de>]

Hello oss-security,

should we consider this as a vulnerability?
https://bugzilla.gnome.org/show_bug.cgi?id=602403

cite:
------------------------------------------------------------------------------
ericlesoll [reporter] 2009-11-19 13:00:11 UTC

on Ubuntu Karmic Koala and Fedora 12
After a fresh install on some machines and update from Jaunty on another one,
we can't catch $USER $USERNAME $LOGNAME
from /etc/gdm/PostLogin/Default, we get "gdm" for all variables instead of real
login name. It was working since 7.04 version.
If in a terminal we run : echo $USER, we get the real login name.

example below :

If I put those 3 lines in /etc/gdm/PostLogin/Default:

echo $USER > /tmp/aaa.txt
echo $USERNAME >> /tmp/aaa.txt
echo $LOGNAME >> /tmp/aaa.txt

after every login I get this result:

$ cat /tmp/aaa.txt
gdm
gdm
gdm

I would expect to get my real login name in those 3 variables instead of "gdm",
which is of no use to take specific action based on which user is logging in.
This was working as expected with at least the 3 previous versions of Ubuntu.
------------------------------------------------------------------------------

Cheers,
Thomas

-- 
 Thomas Biege <thomas () suse de>, SUSE LINUX, Security Support & Auditing
 SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
--
  Wer aufhoert besser werden zu wollen, hoert auf gut zu sein.
                            -- Marie von Ebner-Eschenbach