"Start new session" auto logs in as previous new session starter (only in Edgy)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kdebase (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Edgy |
Invalid
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: kdm
I'm running kubuntu 6.10.
Instructions:
Use KDM as your login manager and login to KDE.
Open a terminal.
Type "sudo adduser bug" and fill in the details to create a new user called "bug".
Goto K-menu->Switch User->Start New Session.
The KDM login manager screen should appear. Login as "bug" with your password.
Logout as bug and switch back to your first session (should happen automatically).
Goto K-menu->Switch User->Start New Session.
What happens:
You will be automatically logged into KDE as "bug" without being asked if you wanted to or being asked for the password.
What I expected:
To be presented with the KDM login screen.
If you wait a couple of minutes before doing the final instruction, the expected behaviour happens. My KDM settings say to automatically log in on X server crash and auto-login my main (not "bug") user.
This seems like a serious security problem to me in an environment where people share machines as it would be easy to let someone login as your new session, wait for them to log out and then login to their account with no password.
Changed in kdebase: | |
assignee: | nobody → kubuntu-team |
Changed in kdebase: | |
status: | Confirmed → Fix Released |
status: | New → Confirmed |
I have made today your test. In Feisty the Kdm login screen suggest "bug" as username but password is required. So in my opinion there are none security problem. I don't know the behaviour in Edgy.
Thanks for your report.