On Wed, Feb 26, 2014 at 02:39:49PM +0100, Marcin Szewczyk wrote: > Package: lxsession > Version: 0.4.9.2-1 > Severity: grave > Tags: security > Justification: user security hole > > Dear Maintainer, > > as described in bug #735854, locking doesn't work. It's a serious problem > because after invoking lxlock the screen switches to VT8 with a login prompt > and it looks like it locked the screen. The reality is the session stays > unlocked and you can return to it with Ctrl-Alt-F7.
Speaking here with my Xfce and lightdm maintainer hat: yes, dm-tool lock is *not* safe to be used currently. I've reported that on upstream mailing list [1,2], but right now there's no way to be actually sure a locker is running when calling the lock command of dm-tool. See also [3]. So right now, I really think dm-tool lock should *not* be used as a locking mechanism, despite its name, unless you're 100% sure a locker is running and will actually lock upon receiving a signal (light-locker is known to do that). In the end, it might have to be fixed at the consolekit/logind level. [1]: http://lists.freedesktop.org/archives/lightdm/2013-July/000399.html [2]: http://lists.freedesktop.org/archives/lightdm/2014-January/000494.html [3]: https://bugs.launchpad.net/lightdm/+bug/1060228 Regards, -- Yves-Alexis Perez
signature.asc
Description: Digital signature