*** This bug is a security vulnerability *** Public security bug reported:
Binary package hint: upstart Currently, if a user is in gnome, and locks their screen, pressing ctrl- alt-delete will do nothing. If the screen isn't locked, it brings up the logout dialog. This is fine, but if they switch to a VT and hit ctrl-alt-delete, it will restart the machine. I don't believe this is the proper behavior, because that means that someone can simply go to a machine with a locked session, switch to a VT, and restart the machine causing the user to lose all data. Of course there is the argument that someone could press the hardware power button or hardware reset button to achieve the same goal, but suppose the machine itself was hidden away and just they keyboard was exposed. This leaves for an easy way to cause users to lose data. It seems that /etc/event.d/control-alt-delete is what is controlling the behavior from a console. It's currently set to: exec /sbin/shutdown -r now "Control-Alt-Delete pressed" I think it should check for the presence of a running pid for any X login manager such as gdm,kdm,xdm as well as for X itself. This would then cover the case that someone ctrl-alt-backspaces out of X ( that's a separate problem ), since the login manager will still be running. ** Affects: upstart (Ubuntu) Importance: Undecided Status: New ** This bug has been flagged as a security issue ** Description changed: Binary package hint: upstart - Currently, if a user is in gnome, and locks there screen, pressing ctrl- + Currently, if a user is in gnome, and locks their screen, pressing ctrl- alt-delete will do nothing. If the screen isn't locked, it brings up the logout dialog. This is fine, but if they switch to a VT and hit ctrl-alt-delete, it will restart the machine. I don't believe this is the proper behavior, because that means that someone can simply go to a machine with a locked session, switch to a VT, and restart the machine causing the user to lose all data. Of course there is the argument that someone could press the hardware power button or hardware reset button to achieve the same goal, but suppose the machine itself was hidden away and just they keyboard was exposed. This leaves for an easy way to cause users to lose data. It seems that /etc/event.d/control-alt-delete is what is controlling the behavior from a console. It's currently set to: exec /sbin/shutdown -r now "Control-Alt-Delete pressed" I think it should check for the presence of a running pid for any X login manager such as gdm,kdm,xdm as well as for X itself. This would then cover the case that someone ctrl-alt-backspaces out of X ( that's a separate problem ), since the login manager will still be running. -- control-alt-delete should not restart the machine if gdm,kdm, xdm, or X is running https://bugs.launchpad.net/bugs/300771 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs