1

Please look at this auth.log (from Ubuntu 14.04) I have provided and tell me who this gdm user is and why there are all these unauthenticated logins? I am freaked out; please help!

Here's the /var/log/auth.log file: http://paste.ubuntu.com/8120231/

Update: I know now that "gdm" is gnome desktop manager and it's there because of root. But please look at the log there is more and tell me if my system is breached.

Eliah Kagan
  • 117,780

2 Answers2

2

The entries in your auth.log involving the gdm user appear normal. This is nothing to worry about. I'm not sure what you mean by "unauthenticated logins" but if you just mean no human entered a username and password for them, that's not a problem.

  • If you're referring to where it says "Unregistered Authentication Agent," that does not mean a login occurred without proper authentication. I suspect this is not a problem at all; certainly, it doesn't signify a security breach. In this context, "Unregistered" is an action. Here, "registered" means it "started using" an authentication agent and "unregistered" means it "stopped using" an authentication agent it had started using before.

(Feel free to elaborate further about that or any other aspect of your question, by editing your question. If you post a comment on this answer, I'll take a look at the edited question.)

GDM is the GNOME Display Manager. A display manager runs the X11 (the core part of the GUI), provides a graphical login screen, and sets up and takes down graphical login sessions.

The part of GDM that provides the login screen, or greeter, does not need to run with unlimited privileges. So it is run as a special limited user account called gdm. This same principle applies to other display managers, such as LightDM (which is more commonly used on Ubuntu these days than GDM).

The gdm account doesn't have to authenticate because the logins are being created by the root user, who can already do anything.

To support what I've said above, and also elaborate on it and provide a greater degree of technical detail, I recommend the official GDM documentation, particularly the Security section.

Most relevant is subsection 3.1, "The GDM User And Group":

For security reasons a dedicated user and group id are recommended for proper operation. This user and group are normally "gdm" on most systems, but can be configured to any user or group. All GDM GUI programs are run as this user, so that the programs which interact with the user are run in a sandbox. This user and group should have limited privilege.

The only special privilege the "gdm" user requires is the ability to read and write Xauth files to the <var>/run/gdm directory. The <var>/run/gdm directory should have root:gdm ownership and 1777 permissions.

You should not, under any circumstances, configure the GDM user/group to a user which a user could easily gain access to, such as the user nobody. Any user who gains access to an Xauth key can snoop on and control running GUI programs running in the associated session or perform a denial-of-service attack on it. It is important to ensure that the system is configured properly so that only the "gdm" user has access to these files and that it is not easy to login to this account. For example, the account should be setup to not have a password or allow non-root users to login to the account.

....

As clarified there:

  • The gdm user account enhances security.
  • It is a limited user account, that exists for a highly specific purpose.
  • Logins to the gdm user account are performed directly by root, and not with a password or by users other than root.
Eliah Kagan
  • 117,780
1

I think you are worrying about nothing GDM is the gnome display manager, it is responsible for making your log in screen look gnome themed.

Try doing this to find out

sudo dpkg-reconfigure gdm

You can in fact use lightdm instead of gdm, the procedure is same for both. Using the above mentioned command will take you to a warning page. Enter to get back to next screen:

On the next screen, you’ll see all the available display managers. Use tab to select your preferred one and then press enter, Once you have selected it, press tab to go to ok and press enter again.

Restart the system and you will find your selected display manager at login. The same procedure can be applied to switch between GDM, LightGDM, MDM, KDM etc.

Use the info above to change to the LightDM version, and you will see all new log-in GDM entries in the file you posted change to lightDM.

It is in your authentication log due to having root privileges.

Hope this helps

Source for the tutorial HERE

Mark Kirby
  • 18,529
  • 19
  • 78
  • 114
  • Please can you look at the auth log and tell me how i am looking? please –  Aug 23 '14 at 06:36
  • I do not understand what you mean. It is fine, GDM has authority to log in automatic on your system. auth.log is a list of processes not users that have certain privileges within the system every time you start your system GDM logs you in you dont see this but the log entery is the proof this happened.. To remove its permissions simply enable the log in screen at boot and you will have to authenticate it with your root password. You have not been "breached". If you worry about hackers or viruses you can find many anti-virus for Ubuntu but it is very secure to begin with. – Mark Kirby Aug 23 '14 at 06:48
  • thank you that gives me sense of piece. thank you for your help and should i install antivirus? is worth it. –  Aug 23 '14 at 06:50
  • I never have but I do not keep sensitive or restricted information (like credit card detail) on my PC so it depends what you use it for. Heres some information for you on viruses in Ubuntu https://help.ubuntu.com/community/Antivirus https://wiki.ubuntu.com/BasicSecurity http://askubuntu.com/questions/10373/do-i-need-to-have-antivirus-software-installed – Mark Kirby Aug 23 '14 at 06:54