** Description changed: + [Impact] + + * The keyboard on the graphical login screen started on VT1 may stop + working and or keypresses including passwords are leaked to the terminal + console running 'behind' the graphical login screen or environment. + + [Test Case] + + * Reboot after installing the fixed systemd package. + * Install sysdig + * Start sysdig on a remote connection or on a terminal console: + $ sudo sysdig evt.type=ioctl | grep request=4B4 + * While sysdig is running log in and out 3 times in GDM and press a few keys in the graphical session to see if keyboard still works + * Log in and out on an other terminal console, too, running a few commands while being logged in to ensure that keyboard is working. + * Observe that on terminal consoles the monitored keyboard setter ioctl is called with argument=3, but where the graphical screen is active only argument=4 is used, unlike with the buggy version observed in https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/comments/14 + + [Regression Potential] + + * The fix checks the current keyboard mode of the VT and allows only + safe mode switches. The potential regression could be not allowing a + valid mode switch keeping a keyboard in a non-operational mode. Testing + covers that by typing the keyboard. + + (continued from bug 1767918) This was found when an administrative error made /home directory inaccessible. Any users that tried to login after that, were not able to (which is expected) but their password appears on the VT1 screen. Under normal circumstances, VT1 is not visible. But once the system was sent into this compromised mode, one can press ctrl+alt+F1 and then ctrl+alt+F2 and get a momentary glance at VT1. One can keep toggling between these key combinations in order to make out the password(s) on VT1. As a further test, I wanted to see if a non-super user could cause this condition, and it is in fact possible. As a regular user, I made their own home directory not writable and then removed ~/.config and logged out. Then logged in as that user again, and although that user can't login the system does go into that mode where passwords appear on VT1 and are viewable with the key combinations mentioned herein. Further, any other users that login will see no problem, but when they logon their passwords also appear on VT1 and are viewable. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: gdm3 3.28.3-0ubuntu18.04.3 Uname: Linux 4.19.2-041902-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.5 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Mon Nov 19 08:32:59 2018 InstallationDate: Installed on 2018-08-25 (85 days ago) InstallationMedia: Ubuntu 18.04 LTS "Bionic Beaver" - Release amd64 (20180426) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: gdm3 UpgradeStatus: No upgrade log present (probably fresh install)
-- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1803993 Title: Password appears on the VT1 screen To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1803993/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
