[Bug 1314971] Re: Potential Security Issue - Having multiple users logins the administrator account without asking for password
@Andrew I don't quite remember if I had installed wth automatic login or not; but I had changed that setting a couple of times (twice/thrice) from Systems Settings (Gnome Control Panel User Accounts). And I am using Ubuntu GNOME 14.04 fresh install. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gdm in Ubuntu. https://bugs.launchpad.net/bugs/1314971 Title: Potential Security Issue - Having multiple users logins the administrator account without asking for password To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/1314971/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1314971] Re: Potential Security Issue - Having multiple users logins the administrator account without asking for password
I suspect this happens when you install with automatic login, then turn it off. Or when you're using some other derived distribution. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gdm in Ubuntu. https://bugs.launchpad.net/bugs/1314971 Title: Potential Security Issue - Having multiple users logins the administrator account without asking for password To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/1314971/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1314971] Re: Potential Security Issue - Having multiple users logins the administrator account without asking for password
I tried to recreate this problem without success; when I created another non-administrator account, assigned both accounts passwords, and returned to the gdm screen it sat there blankly waiting for input. Please run apport-collect 1314971 to attach some debugging information to this bug report; perhaps we'll be able to discover the issue with more information. Thanks ** Information type changed from Private Security to Public Security ** Changed in: gdm (Ubuntu) Status: New = Incomplete -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gdm in Ubuntu. https://bugs.launchpad.net/bugs/1314971 Title: Potential Security Issue - Having multiple users logins the administrator account without asking for password To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/1314971/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1314971] Re: Potential Security Issue - Having multiple users logins the administrator account without asking for password
apport information ** Tags added: apport-collected trusty ** Description changed: Basic Info: --- 1. OS: Ubuntu GNOME 14.04 (with all the updates applied till now) 2. GDM package information: $ apt-cache policy gdm gdm: Installed: 3.10.0.1-0ubuntu3 Candidate: 3.10.0.1-0ubuntu3 Version table: *** 3.10.0.1-0ubuntu3 0 500 http://in.archive.ubuntu.com/ubuntu/ trusty/universe i386 Packages 100 /var/lib/dpkg/status --- I have two user accounts setup: 1. Aditya (Administrator) 2. Mohit (Standard User) Both the accounts have passwords on them and Automatic Login is off for both of them. When I reboot, two cases happen: 1. If I don't select which user account I want to login (Administrator account is autoselected initially), GNOME waits for about ~5 secs and then starts displaying a progress bar around the Adminstrator Account (Aditya) indicating that this account would login when it reaches 100% (it takes about 10 secs for progress bar to finish). Once the progress bar finished, it logs the Administrator without asking for user password and anyone can use the account without knowing the password at all. 2. Even when I select the Standard Account (Mohit) (but don't press return/enter - ie; I don't reach the password screen for Mohit) then GNOME waits for about ~5 secs and thereafter selects the Administrator Account (Aditya) by itself and repeats case 1 mentioned above. However, since I have the Online Accounts setup, it nags me a couple of times initially after login to enter the password, but I can just press Escape and don't need to enter the password. (The Online Accounts feature don't work as expected since I don't provide the password to it). Screenshot of it nagging me to provide password for Online Accounts: http://i.stack.imgur.com/M09HP.png + --- + ApportVersion: 2.14.1-0ubuntu3 + Architecture: i386 + CurrentDesktop: GNOME + DistroRelease: Ubuntu 14.04 + InstallationDate: Installed on 2014-04-18 (12 days ago) + InstallationMedia: This + Package: gdm 3.10.0.1-0ubuntu3 + PackageArchitecture: i386 + Tags: trusty + Uname: Linux 3.14.2-031402-generic i686 + UpgradeStatus: No upgrade log present (probably fresh install) + UserGroups: adm cdrom dip lpadmin plugdev sambashare sudo + _MarkForUpload: True + mtime.conffile..etc.gdm.custom.conf: 2014-04-28T01:23:29.870182 ** Attachment added: Dependencies.txt https://bugs.launchpad.net/bugs/1314971/+attachment/4102589/+files/Dependencies.txt -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gdm in Ubuntu. https://bugs.launchpad.net/bugs/1314971 Title: Potential Security Issue - Having multiple users logins the administrator account without asking for password To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/1314971/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1314971] Re: Potential Security Issue - Having multiple users logins the administrator account without asking for password
Hi Seth Arnold, Give me some time, I would also upload the video showing this behavior. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gdm in Ubuntu. https://bugs.launchpad.net/bugs/1314971 Title: Potential Security Issue - Having multiple users logins the administrator account without asking for password To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/1314971/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1314971] Re: Potential Security Issue - Having multiple users logins the administrator account without asking for password
Thanks for uploading the additional information; this looks like intentional behaviour: TimedLoginEnable=true TimedLogin=aditya TimedLoginDelay=10 I suspect removing these lines from your /etc/gdm/custom.conf and then restarting gdm would solve your issue. Thanks ** Changed in: gdm (Ubuntu) Status: Incomplete = Invalid -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gdm in Ubuntu. https://bugs.launchpad.net/bugs/1314971 Title: Potential Security Issue - Having multiple users logins the administrator account without asking for password To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/1314971/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1314971] Re: Potential Security Issue - Having multiple users logins the administrator account without asking for password
And I never saw the option of Timed Login anywhere. Where did that setting come from? -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gdm in Ubuntu. https://bugs.launchpad.net/bugs/1314971 Title: Potential Security Issue - Having multiple users logins the administrator account without asking for password To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/1314971/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1314971] Re: Potential Security Issue - Having multiple users logins the administrator account without asking for password
Hi Seth Arnold, That does fix the issue. But shouldn't this default behavior change. I never touched that file myself (at least not intentionally). I had once/twice enabled automatic login for accounts (using System Settings User Accounts), but disabled it afterwards. Disabling it should have made necessary changes to those files. Can you please try that? I would also try to enable automatic login once again and then disable it to see if this problem pops up once again. Thanks for the help. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gdm in Ubuntu. https://bugs.launchpad.net/bugs/1314971 Title: Potential Security Issue - Having multiple users logins the administrator account without asking for password To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/1314971/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1314971] Re: Potential Security Issue - Having multiple users logins the administrator account without asking for password
I couldn't reproduce the timed login by enabling and disabling automatic account logins either. I'm not sure how the configuration options got set, hopefully a gnome expert will spot this and point out where those settings are exposed to users. Thanks -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gdm in Ubuntu. https://bugs.launchpad.net/bugs/1314971 Title: Potential Security Issue - Having multiple users logins the administrator account without asking for password To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdm/+bug/1314971/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
