So both the linked branches built in silo 8, and when I tested it, this is what I found:
1. start unity 2. open terminal (Ctrl+alt+T) 3. type 'sleep 15 && killall -9 compiz' 4. lock screen observe: screen locks, then unity crashes, then unity restarts locked. so far so good. 5. issue the same command in the terminal again 6. lock the screen again observe: screen locks, then unity crashes... and doesn't come back. I'm told this is not a regression (eg it's known that unity does not restart after the first crash) however this is significant because when unity does not restart, that terminal just stays open right there, and while it doesn't respond to keyboard input, it does respond to mouse input, so it's possible to issue commands as the logged-in user by copy & pasting (eg, select some text, right click -> copy, right click -> paste). So if I'm an attacker and I'm in a position to trigger a crash in compiz, the whole "restarting locked" thing seems kind of weak, because all I have to do is crash compiz... twice. Granted the unity-free UI is quite limited, maybe there's a browser open and I can access the user's email, or whatever. it's still an attack vector. -- You received this bug notification because you are a member of DX Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dx-packages https://bugs.launchpad.net/bugs/1308572 Title: Ubuntu 14.04: security problem in the lock screen Status in Unity: In Progress Status in “unity” package in Ubuntu: In Progress Bug description: affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1308572/+subscriptions -- Mailing list: https://launchpad.net/~dx-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~dx-packages More help : https://help.launchpad.net/ListHelp
