*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: upstart
Currently, if a user is in gnome, and locks their screen, pressing ctrl-
alt-delete will do nothing. If the screen isn't locked, it brings up
the logout dialog.
This is fine, but if they switch to a VT and hit ctrl-alt-delete, it
will restart the machine.
I don't believe this is the proper behavior, because that means that
someone can simply go to a machine with a locked session, switch to a
VT, and restart the machine causing the user to lose all data.
Of course there is the argument that someone could press the hardware
power button or hardware reset button to achieve the same goal, but
suppose the machine itself was hidden away and just they keyboard was
exposed. This leaves for an easy way to cause users to lose data.
It seems that /etc/event.d/control-alt-delete is what is controlling the
behavior from a console. It's currently set to:
exec /sbin/shutdown -r now "Control-Alt-Delete pressed"
I think it should check for the presence of a running pid for any X
login manager such as gdm,kdm,xdm as well as for X itself. This would
then cover the case that someone ctrl-alt-backspaces out of X ( that's a
separate problem ), since the login manager will still be running.
** Affects: upstart (Ubuntu)
Importance: Undecided
Status: New
** This bug has been flagged as a security issue
** Description changed:
Binary package hint: upstart
- Currently, if a user is in gnome, and locks there screen, pressing ctrl-
+ Currently, if a user is in gnome, and locks their screen, pressing ctrl-
alt-delete will do nothing. If the screen isn't locked, it brings up
the logout dialog.
This is fine, but if they switch to a VT and hit ctrl-alt-delete, it
will restart the machine.
I don't believe this is the proper behavior, because that means that
someone can simply go to a machine with a locked session, switch to a
VT, and restart the machine causing the user to lose all data.
Of course there is the argument that someone could press the hardware
power button or hardware reset button to achieve the same goal, but
suppose the machine itself was hidden away and just they keyboard was
exposed. This leaves for an easy way to cause users to lose data.
It seems that /etc/event.d/control-alt-delete is what is controlling the
behavior from a console. It's currently set to:
exec /sbin/shutdown -r now "Control-Alt-Delete pressed"
I think it should check for the presence of a running pid for any X
login manager such as gdm,kdm,xdm as well as for X itself. This would
then cover the case that someone ctrl-alt-backspaces out of X ( that's a
separate problem ), since the login manager will still be running.
--
control-alt-delete should not restart the machine if gdm,kdm, xdm, or X is
running
https://bugs.launchpad.net/bugs/300771
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
