Switching users should require password authentication
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Light Display Manager |
New
|
Undecided
|
Unassigned |
Bug Description
If you run "dm-tool switch-to-user foo", it requests a password for login in the new user, but after this, you can switch back and forth among those users without password requested anymore, this is a security problem, users should be not able to access to each other without any authentication
Think about this scenario: you have a laptop with your user, there's a new coworker that needs to use the computer and so you create him an account, since you don't want to close your opened applications you use "dm-tool switch-to-user" command for keep them opened, so your coworker can use the computer on his environment, you need to leave the room to do some works outside, your coworker can access entirely to your system by just running the same command
information type: | Private Security → Public Security |
This is seemingly the same issue as:
http:// forums. mate-desktop. org/viewtopic. php?f=2& t=3043 ('LightDM + MATE: How to lock screen on switch user?')
which I posted in the MATE forums. That is, the issue seems to be that I, Thanatermesis and no doubt quite a few others expect a user-switch to automatically lock the user (or "seat" I believe I should say) that is being switched away from, and experience this not being so as a security issue. Given that I do moreover not consider myself generally clueless, I believe it it; there's going to be quite a few users that fall for this one...
I have however noticed that it was the same with LXDM and probably with GDM and therefore expect it to be design. Even if that is true, could LightDM grow an option to enable autmatic lock-on- switch- user? And set it by default, I'd say, but that's an opinion...