babbage's Journal: Apple Remote Desktop bug ?

I think I've found a bug. I'm not sure if it's an ARD bug, a Fink bug,
or something else, but I definitely triggered some unwanted results.

I used ARD2 to install Fink (the 0.6.2 installer package) on two remote
machines, neither of which had a currently logged in user.

When installing Fink locally, one of the last steps is to invoke a shell
script that sets up basic environment information for your account -- it
adds /sw/bin to your path, etc. If Terminal isn't already running, it
will launch for this. I'm not sure how or why Terminal gets launched
when it seems like it should just be able to run silently & detached,
but no matter; suffice to say that the Fink installer launches Terminal.

The installer was taking a very long time to finish, so I took a walk
around the office to see what was going on with these machines. Here,
roughly, is what I found:

        http://devers.homeip.net:8080/images/ard_bug.jpg (204kb)
        http://home.comcast.net/~teridon73/ard_bug.pdf (mirror of original, 1.2mb)

The screengrab above was a 1.2mb download from my poor little bandwidth starved computer at home, but then someone offered to mirror it -- thanks! -- and someone else pointed out that a JPEG would be much smaller. Which it is. So the bandwidth issue shouldn't be such a big deal now.

What we have here is a system displaying the normal login screen while
in the background a Terminal instance is running with the root user's
priviliges. Because running Terminal means having a normal menu, I can
also click on the menu items, launch things like Software Update and
System Preferences, and open up new Terminal windows -- with root access
no less -- from which I can run just about anything I please.

For laughs, I launched the Finder & Dock so that I would have something
resembling a normal login session, even though the login window was
still sitting there greedily hogging the middle of the screen.

For more laughs, I used the login window to log in as myself. This
seemed to work, kind of, in that now I had GUI programs running at the
same time, some with my access level (according to the "log out cdevers"
item in the Apple menu) and some with root access (according to the "log
out administrator" item).

If I hadn't manually walked by to see what was going on, I might have
ended up leaving these machines on with unattended root access
overnight. If these machines had been at a remote location, I wouldn't
have necessarily realized what was going on at all -- I didn't even know
it was possible for any user to launch GUI programs from the login
screen, so I'm not sure it would have occurred to me to control the
desktop and see what was going on.

As I say, there are several possible sources of this problem -- ARD,
Fink, something else -- and I'm not sure who to blame. I can't imagine
that this was the intended behavior though, was it ?