Ubuntu
kdebase package

"Start new session" auto logs in as previous new session starter (only in Edgy)

Bug #103107 reported by monstermunch
258
Affects Status Importance Assigned to Milestone
kdebase (Ubuntu)
Invalid
Undecided
Unassigned
Nominated for Gutsy by Sergio Zanchetta
Nominated for Hardy by Sergio Zanchetta
Edgy
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: kdm

I'm running kubuntu 6.10.

Instructions:
Use KDM as your login manager and login to KDE.
Open a terminal.
Type "sudo adduser bug" and fill in the details to create a new user called "bug".
Goto K-menu->Switch User->Start New Session.
The KDM login manager screen should appear. Login as "bug" with your password.
Logout as bug and switch back to your first session (should happen automatically).
Goto K-menu->Switch User->Start New Session.

What happens:
You will be automatically logged into KDE as "bug" without being asked if you wanted to or being asked for the password.

What I expected:
To be presented with the KDM login screen.

If you wait a couple of minutes before doing the final instruction, the expected behaviour happens. My KDM settings say to automatically log in on X server crash and auto-login my main (not "bug") user.

This seems like a serious security problem to me in an environment where people share machines as it would be easy to let someone login as your new session, wait for them to log out and then login to their account with no password.

Tags: edgy-close
Revision history for this message
Marco Maini (maini10) wrote :

I have made today your test. In Feisty the Kdm login screen suggest "bug" as username but password is required. So in my opinion there are none security problem. I don't know the behaviour in Edgy.
Thanks for your report.

Changed in kdebase:
status: Unconfirmed → Needs Info
Revision history for this message
monstermunch (monstermunch) wrote :

I've just installed Feisty and can confirm that the expected (i.e. it doesn't login automatically) happens. However, I still have this behaviour in Edgy.

I really urge someone to look at this because if this happens on other computers and not just mine this is a very serious bug. By using a simple trick, you can log into anyone's account after they've just logged in and out of a new session recently.

Revision history for this message
Marco Maini (maini10) wrote :

Confirm this bug, because needs to be tested in Edgy. If confirmed it may be a security problem. However, in Feisty seems fixed.

Changed in kdebase:
status: Incomplete → Confirmed
assignee: nobody → kubuntu
assignee: kubuntu → nobody
Marco Maini (maini10)
Changed in kdebase:
assignee: nobody → kubuntu-team
Sarah Kowalik (hobbsee-deactivatedaccount)
Changed in kdebase:
status: Confirmed → Fix Released
status: New → Confirmed
Revision history for this message
monstermunch (monstermunch) wrote :

I've just installed Kubuntu Gutsy and can confirm that this behaviour (as described in the original bug report) is now back. It was present in Edgy, fixed in Feisty and it's back in Gutsy.

Revision history for this message
monstermunch (monstermunch) wrote :

This behaviour still happens in Hardy. :-(

Changed in kdebase:
status: Fix Released → Confirmed
Revision history for this message
Sergio Zanchetta (primes2h) wrote :

The 18 month support period for Edgy Eft 6.10 has reached it's end of life. As a result, we are closing the Edgy Eft task. However, please note that this report will remain open against the actively developed release. Thank you for your continued support and help as we debug this issue.

Changed in kdebase:
status: Confirmed → Invalid
Revision history for this message
Jonathan Thomas (echidnaman) wrote :

Still an issue in Intrepid?

Changed in kdebase:
assignee: kubuntu-bugs → nobody
status: Confirmed → Incomplete
Revision history for this message
Jonathan Thomas (echidnaman) wrote :

Actually, should be closed as per the comment before mine.

Changed in kdebase:
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.