Package: physlock Version: 0.4.5-2 Severity: grave Dear Maintainer,
"Debian installs default to disabling the root account when the user does not input a root password. However in such cases physlock does the incorrect thing and allows a user who types root [ENTER] [ENTER] to bypass the security check (with a minor error message displayed). The correct behaviour is forbid root login and keep the lock in place." I stole this from: https://github.com/muennich/physlock/issues/51. I reproduced this. As above mentioned github issue mentions Current master behaves different, meaning it "uses the utmp file to identify the owner of the current session", which in turn means it's not possible any more to specify the user who locks the VTs. However this way it does not allow to login as root when a normal user locked the VTs. Sorry if you already got this information from this github issue, but I felt it was appropriate to open a bug report for this issue. Thanks, Gregor -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
