[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.

2020-06-16 Thread Philippe
#6 Chris quote:
4. Go to "System" -> "Administration" -> "Users and Groups".
5. Change password from "Asked on logon" to "Not asked on logon".
6. Lock your machine.
7. Press "Switch User".
8. Observe no password is required to unlock as the current user.

I confirm this issue on Ubuntu Mate 20.04.0 in a virtual machine. I can
reproduce it each times.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1706770

Title:
  Lock screen can be bypassed when auto-login is enabled.

Status in Ubuntu MATE:
  Confirmed
Status in lightdm package in Ubuntu:
  Fix Committed
Status in mate-session-manager package in Ubuntu:
  Confirmed

Bug description:
  16.04 LTS
  =

  Hi,

  My machine is set up with full-disk encryption, so it requires a
  password when I boot it up. Because of this I thought I would enable
  auto-login to avoid having to enter two passwords at boot.

  When I leave my computer for short periods of time, I lock it. I
  thought this was working fine for a long time, but I've discovered the
  lock screen is actually easily bypassable when auto-login is enabled.
  All one has to do is click "Switch User" on the lock screen, then
  press "Unlock" and the computer unlocks without prompting for a
  password.

  Perhaps this is just me being an idiot, but I thought this was secure
  until now. It seems like either unlocking should always require a
  password (otherwise what's the point of locking in the first place) or
  it should be made totally obvious that unlocking doesn't actually
  require a password (i.e. removing the password box from the lock
  screen when auto-login is enabled).

  Thanks,
  Chris

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.

2020-05-09 Thread bpiero
Dammit! I cant believe this level of lack of security could happen in
this project. WHAT A SHAME!

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1706770

Title:
  Lock screen can be bypassed when auto-login is enabled.

Status in Ubuntu MATE:
  Confirmed
Status in lightdm package in Ubuntu:
  Fix Committed
Status in mate-session-manager package in Ubuntu:
  Confirmed

Bug description:
  16.04 LTS
  =

  Hi,

  My machine is set up with full-disk encryption, so it requires a
  password when I boot it up. Because of this I thought I would enable
  auto-login to avoid having to enter two passwords at boot.

  When I leave my computer for short periods of time, I lock it. I
  thought this was working fine for a long time, but I've discovered the
  lock screen is actually easily bypassable when auto-login is enabled.
  All one has to do is click "Switch User" on the lock screen, then
  press "Unlock" and the computer unlocks without prompting for a
  password.

  Perhaps this is just me being an idiot, but I thought this was secure
  until now. It seems like either unlocking should always require a
  password (otherwise what's the point of locking in the first place) or
  it should be made totally obvious that unlocking doesn't actually
  require a password (i.e. removing the password box from the lock
  screen when auto-login is enabled).

  Thanks,
  Chris

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.

2020-03-22 Thread Norbert
** Tags added: xenial

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1706770

Title:
  Lock screen can be bypassed when auto-login is enabled.

Status in Ubuntu MATE:
  Confirmed
Status in lightdm package in Ubuntu:
  Fix Committed
Status in mate-session-manager package in Ubuntu:
  Confirmed

Bug description:
  16.04 LTS
  =

  Hi,

  My machine is set up with full-disk encryption, so it requires a
  password when I boot it up. Because of this I thought I would enable
  auto-login to avoid having to enter two passwords at boot.

  When I leave my computer for short periods of time, I lock it. I
  thought this was working fine for a long time, but I've discovered the
  lock screen is actually easily bypassable when auto-login is enabled.
  All one has to do is click "Switch User" on the lock screen, then
  press "Unlock" and the computer unlocks without prompting for a
  password.

  Perhaps this is just me being an idiot, but I thought this was secure
  until now. It seems like either unlocking should always require a
  password (otherwise what's the point of locking in the first place) or
  it should be made totally obvious that unlocking doesn't actually
  require a password (i.e. removing the password box from the lock
  screen when auto-login is enabled).

  Thanks,
  Chris

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.

2020-03-17 Thread Rudra Saraswat
** Changed in: lightdm (Ubuntu)
   Status: Confirmed => Fix Committed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1706770

Title:
  Lock screen can be bypassed when auto-login is enabled.

Status in Ubuntu MATE:
  Confirmed
Status in lightdm package in Ubuntu:
  Fix Committed
Status in mate-session-manager package in Ubuntu:
  Confirmed

Bug description:
  16.04 LTS
  =

  Hi,

  My machine is set up with full-disk encryption, so it requires a
  password when I boot it up. Because of this I thought I would enable
  auto-login to avoid having to enter two passwords at boot.

  When I leave my computer for short periods of time, I lock it. I
  thought this was working fine for a long time, but I've discovered the
  lock screen is actually easily bypassable when auto-login is enabled.
  All one has to do is click "Switch User" on the lock screen, then
  press "Unlock" and the computer unlocks without prompting for a
  password.

  Perhaps this is just me being an idiot, but I thought this was secure
  until now. It seems like either unlocking should always require a
  password (otherwise what's the point of locking in the first place) or
  it should be made totally obvious that unlocking doesn't actually
  require a password (i.e. removing the password box from the lock
  screen when auto-login is enabled).

  Thanks,
  Chris

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.

2020-03-15 Thread Alex Murray
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1706770

Title:
  Lock screen can be bypassed when auto-login is enabled.

Status in Ubuntu MATE:
  Confirmed
Status in lightdm package in Ubuntu:
  Confirmed
Status in mate-session-manager package in Ubuntu:
  Confirmed

Bug description:
  16.04 LTS
  =

  Hi,

  My machine is set up with full-disk encryption, so it requires a
  password when I boot it up. Because of this I thought I would enable
  auto-login to avoid having to enter two passwords at boot.

  When I leave my computer for short periods of time, I lock it. I
  thought this was working fine for a long time, but I've discovered the
  lock screen is actually easily bypassable when auto-login is enabled.
  All one has to do is click "Switch User" on the lock screen, then
  press "Unlock" and the computer unlocks without prompting for a
  password.

  Perhaps this is just me being an idiot, but I thought this was secure
  until now. It seems like either unlocking should always require a
  password (otherwise what's the point of locking in the first place) or
  it should be made totally obvious that unlocking doesn't actually
  require a password (i.e. removing the password box from the lock
  screen when auto-login is enabled).

  Thanks,
  Chris

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.

2020-03-15 Thread Rudra Saraswat
** Changed in: ubuntu-mate
   Status: New => Confirmed

** Information type changed from Public Security to Private Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1706770

Title:
  Lock screen can be bypassed when auto-login is enabled.

Status in Ubuntu MATE:
  Confirmed
Status in lightdm package in Ubuntu:
  Confirmed
Status in mate-session-manager package in Ubuntu:
  Confirmed

Bug description:
  16.04 LTS
  =

  Hi,

  My machine is set up with full-disk encryption, so it requires a
  password when I boot it up. Because of this I thought I would enable
  auto-login to avoid having to enter two passwords at boot.

  When I leave my computer for short periods of time, I lock it. I
  thought this was working fine for a long time, but I've discovered the
  lock screen is actually easily bypassable when auto-login is enabled.
  All one has to do is click "Switch User" on the lock screen, then
  press "Unlock" and the computer unlocks without prompting for a
  password.

  Perhaps this is just me being an idiot, but I thought this was secure
  until now. It seems like either unlocking should always require a
  password (otherwise what's the point of locking in the first place) or
  it should be made totally obvious that unlocking doesn't actually
  require a password (i.e. removing the password box from the lock
  screen when auto-login is enabled).

  Thanks,
  Chris

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.

2017-10-18 Thread Chris Gavin
After a bit more investigation, being in the `nopasswdlogin` group is
what causes the switch-user screen to not ask for a password.

Having `autologin-user` set to your username in
/etc/lightdm/lightdm.conf is what works correctly.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1706770

Title:
  Lock screen can be bypassed when auto-login is enabled.

Status in ubuntu-mate:
  New
Status in lightdm package in Ubuntu:
  Confirmed
Status in mate-session-manager package in Ubuntu:
  Confirmed

Bug description:
  16.04 LTS
  =

  Hi,

  My machine is set up with full-disk encryption, so it requires a
  password when I boot it up. Because of this I thought I would enable
  auto-login to avoid having to enter two passwords at boot.

  When I leave my computer for short periods of time, I lock it. I
  thought this was working fine for a long time, but I've discovered the
  lock screen is actually easily bypassable when auto-login is enabled.
  All one has to do is click "Switch User" on the lock screen, then
  press "Unlock" and the computer unlocks without prompting for a
  password.

  Perhaps this is just me being an idiot, but I thought this was secure
  until now. It seems like either unlocking should always require a
  password (otherwise what's the point of locking in the first place) or
  it should be made totally obvious that unlocking doesn't actually
  require a password (i.e. removing the password box from the lock
  screen when auto-login is enabled).

  Thanks,
  Chris

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.

2017-10-18 Thread Chris Gavin
If it helps, I've reproduced this in a fresh Ubuntu Mate virtual
machine.

1. Install Ubuntu Mate following all the usual steps until you get to the 
account creation screen.
2. Create a user account with a password and leave "require password at login" 
checked.
3. Finish installation and reboot.
4. Go to "System" -> "Administration" -> "Users and Groups".
5. Change password from "Asked on logon" to "Not asked on logon".
6. Lock your machine.
7. Press "Switch User".
8. Observe no password is required to unlock as the current user.

For some reason, the problem doesn't happen when you set your account to
not require a password at installation. Even more oddly, the user
account still shows "Asked on logon" for the user created at
installation, even though the option to not require a password was
checked, and seems to be effective at boot. I guess they must just be
implemented in different ways.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1706770

Title:
  Lock screen can be bypassed when auto-login is enabled.

Status in ubuntu-mate:
  New
Status in lightdm package in Ubuntu:
  Confirmed
Status in mate-session-manager package in Ubuntu:
  Confirmed

Bug description:
  16.04 LTS
  =

  Hi,

  My machine is set up with full-disk encryption, so it requires a
  password when I boot it up. Because of this I thought I would enable
  auto-login to avoid having to enter two passwords at boot.

  When I leave my computer for short periods of time, I lock it. I
  thought this was working fine for a long time, but I've discovered the
  lock screen is actually easily bypassable when auto-login is enabled.
  All one has to do is click "Switch User" on the lock screen, then
  press "Unlock" and the computer unlocks without prompting for a
  password.

  Perhaps this is just me being an idiot, but I thought this was secure
  until now. It seems like either unlocking should always require a
  password (otherwise what's the point of locking in the first place) or
  it should be made totally obvious that unlocking doesn't actually
  require a password (i.e. removing the password box from the lock
  screen when auto-login is enabled).

  Thanks,
  Chris

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.

2017-10-11 Thread Launchpad Bug Tracker
Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: mate-session-manager (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1706770

Title:
  Lock screen can be bypassed when auto-login is enabled.

Status in ubuntu-mate:
  New
Status in lightdm package in Ubuntu:
  Confirmed
Status in mate-session-manager package in Ubuntu:
  Confirmed

Bug description:
  16.04 LTS
  =

  Hi,

  My machine is set up with full-disk encryption, so it requires a
  password when I boot it up. Because of this I thought I would enable
  auto-login to avoid having to enter two passwords at boot.

  When I leave my computer for short periods of time, I lock it. I
  thought this was working fine for a long time, but I've discovered the
  lock screen is actually easily bypassable when auto-login is enabled.
  All one has to do is click "Switch User" on the lock screen, then
  press "Unlock" and the computer unlocks without prompting for a
  password.

  Perhaps this is just me being an idiot, but I thought this was secure
  until now. It seems like either unlocking should always require a
  password (otherwise what's the point of locking in the first place) or
  it should be made totally obvious that unlocking doesn't actually
  require a password (i.e. removing the password box from the lock
  screen when auto-login is enabled).

  Thanks,
  Chris

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.

2017-10-11 Thread Launchpad Bug Tracker
Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: lightdm (Ubuntu)
   Status: New => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1706770

Title:
  Lock screen can be bypassed when auto-login is enabled.

Status in ubuntu-mate:
  New
Status in lightdm package in Ubuntu:
  Confirmed
Status in mate-session-manager package in Ubuntu:
  Confirmed

Bug description:
  16.04 LTS
  =

  Hi,

  My machine is set up with full-disk encryption, so it requires a
  password when I boot it up. Because of this I thought I would enable
  auto-login to avoid having to enter two passwords at boot.

  When I leave my computer for short periods of time, I lock it. I
  thought this was working fine for a long time, but I've discovered the
  lock screen is actually easily bypassable when auto-login is enabled.
  All one has to do is click "Switch User" on the lock screen, then
  press "Unlock" and the computer unlocks without prompting for a
  password.

  Perhaps this is just me being an idiot, but I thought this was secure
  until now. It seems like either unlocking should always require a
  password (otherwise what's the point of locking in the first place) or
  it should be made totally obvious that unlocking doesn't actually
  require a password (i.e. removing the password box from the lock
  screen when auto-login is enabled).

  Thanks,
  Chris

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.

2017-09-02 Thread Douglas H. Silva
Unable to reproduce this in Ubuntu MATE 17.04. I use full-disk
encryption too and enabled auto-login as well.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1706770

Title:
  Lock screen can be bypassed when auto-login is enabled.

Status in ubuntu-mate:
  New
Status in lightdm package in Ubuntu:
  New
Status in mate-session-manager package in Ubuntu:
  New

Bug description:
  16.04 LTS
  =

  Hi,

  My machine is set up with full-disk encryption, so it requires a
  password when I boot it up. Because of this I thought I would enable
  auto-login to avoid having to enter two passwords at boot.

  When I leave my computer for short periods of time, I lock it. I
  thought this was working fine for a long time, but I've discovered the
  lock screen is actually easily bypassable when auto-login is enabled.
  All one has to do is click "Switch User" on the lock screen, then
  press "Unlock" and the computer unlocks without prompting for a
  password.

  Perhaps this is just me being an idiot, but I thought this was secure
  until now. It seems like either unlocking should always require a
  password (otherwise what's the point of locking in the first place) or
  it should be made totally obvious that unlocking doesn't actually
  require a password (i.e. removing the password box from the lock
  screen when auto-login is enabled).

  Thanks,
  Chris

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1706770] Re: Lock screen can be bypassed when auto-login is enabled.

2017-08-29 Thread Martin Wimpress
** Also affects: lightdm (Ubuntu)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1706770

Title:
  Lock screen can be bypassed when auto-login is enabled.

Status in ubuntu-mate:
  New
Status in lightdm package in Ubuntu:
  New
Status in mate-session-manager package in Ubuntu:
  New

Bug description:
  16.04 LTS
  =

  Hi,

  My machine is set up with full-disk encryption, so it requires a
  password when I boot it up. Because of this I thought I would enable
  auto-login to avoid having to enter two passwords at boot.

  When I leave my computer for short periods of time, I lock it. I
  thought this was working fine for a long time, but I've discovered the
  lock screen is actually easily bypassable when auto-login is enabled.
  All one has to do is click "Switch User" on the lock screen, then
  press "Unlock" and the computer unlocks without prompting for a
  password.

  Perhaps this is just me being an idiot, but I thought this was secure
  until now. It seems like either unlocking should always require a
  password (otherwise what's the point of locking in the first place) or
  it should be made totally obvious that unlocking doesn't actually
  require a password (i.e. removing the password box from the lock
  screen when auto-login is enabled).

  Thanks,
  Chris

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-mate/+bug/1706770/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp