lightdm DBus interface allows unlocking other user sessions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Light Display Manager |
Fix Released
|
High
|
Unassigned |
Bug Description
The lightdm DBus interface provides SwitchToUser. With this an arbitrary user can unlock another user's session.
Applications like blueproximity can run dm-tool lock and dm-tool SwitchToUser $USER to lock and unlock the user's session.
But replacing $USER with the username of another locked session will just switch to that session and unlocking it.
Steps to reproduce:
log in User1
run dm-tool lock
log in User2
run dm-tool switch-to-user User1
What happens:
This will switch back to the User1 session.
I've tested this with both archlinux and ubuntu saucy.
What should happen:
If dm-tool switch-to-user isn't ran by the same user as provided: It should switch to the greeter unlock screen.
If dm-tool switch-to-user is ran by the same user (maybe same session too): It should unlock that session.
Related branches
- PS Jenkins bot: Approve (continuous-integration)
- LightDM Development Team: Pending requested
-
Diff: 35 lines (+1/-7)2 files modifiedsrc/seat.c (+1/-4)
tests/scripts/switch-to-greeter-new-session-logout-old.conf (+0/-3)
Changed in lightdm: | |
importance: | Undecided → High |
status: | New → Triaged |
information type: | Private Security → Public |
Changed in lightdm: | |
milestone: | none → 1.7.10 |
status: | Fix Committed → Fix Released |
I can confirm this is a regression since 1.7.5 - LightDM was unlocking the session being switched to regardless of if the user had authentication in a greeter or not.
I agree that the preferred behaviour is to switch to a greeter, but we should track that as a separate feature request.
Thanks for finding this problem!