** Changed in: unity (Ubuntu Trusty)
Status: New => In Progress
** Changed in: unity (Ubuntu Trusty)
Importance: Undecided => Medium
** Changed in: unity (Ubuntu Trusty)
Assignee: (unassigned) => Stephen M. Webb (bregma)
** Description changed:
- Lightdm should not emit logind "unlock" signal when the user is not
- prompted for a password. This can lead to a security issue:
+ [IMPACT]
+ A user is presented with a password dialog even if a member of the
nopasswdlogin group (and may not have a password).
- # Log-in (unity session).
- # Add the current user to nopasswdlogin group.
- # Lock the sessions.
- # Session indicator->Switch account...
- # "Login" in again.
+ [TEST CASE]
- Expected behavior:
- The lockscreen is still active.
+ (1) Create a test user.
+ (2) Add the test user to the nopasswdlogin group.
+ (3) Log in to a Unity session using that acocunt.
+ (4) Lock the screen.
+ (5) Attempt to unlock the screen: no password prompt should be presented.
- Current behavior:
- The session in unlocked.
+ [REGRESSION POTENTIAL]
- We could workaround the issue directly in unity, but IMHO would be
- cleaner to avoid that lightdm is emitting the logind signal.
+ Conceivably allowing a login with no authentication could present
+ unexpected vulnerabilities in which unforseen code paths also exercise
+ this function. Care has been taken by the developer to avoid such
+ cases.
+
+ [OTHER INFO]
+
+ The fix for Ubuntu 14.04 LTS was cherry picked from the Ubuntu "Vivid
+ Vervet" dev release where it has been in production use for some time
+ without apparent regression.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1413790
Title:
It's possible to bypasss lockscreen if user is in nopasswdlogin group.
To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1413790/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
