Ubuntu Terminal App

require screenlock password (if set)

Bug #1347010 reported by Jamie Strandboge on 2014-07-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Ubuntu File Manager App	Fix Released	Critical	Arto Jalkanen
	Ubuntu Terminal App	Fix Released	Critical	Unassigned

Bug Description

Ubuntu Touch will soon have the ability to set a PIN/password for the user. If the password is set, we should limit access to the terminal and the filemanager to guard against sideloading apps when lending a phone to someone who does not know the PIN/password.

For the terminal, we should unconditionally require the screenlock password when one is set on application launch. See https://ubuntu.mybalsamiq.com/projects/ubuntuphonecoreapps/Terminal%20security

For the file manager, we should allow passwordless access to MTP-exported directories, and require the screenlock password when one is set when accessing non-MTP-exported directories. This can be implemented as a button (or similar): 'Show all files' which when clicked should prompt for the password (if set). 'Show all files' should not be remembered between application invocations.

IMPORTANT: this only covers a very limited set of attack scenarios, but does guard against casual trojanning when lending a phone to a stranger. Notably, it does not cover sideloading via adb.

FYI, these changes are required for RTM, so I added the appropriate tag. The Importance should be at least 'High'.

See original description

Tags:

Related branches

lp:~ubuntu-filemanager-dev/ubuntu-filemanager-app/require-screenlock-password

Merged into lp:ubuntu-filemanager-app at revision 253

Ubuntu Phone Apps Jenkins Bot: Approve (continuous-integration) on 2014-08-15

Arto Jalkanen: Approve on 2014-08-15

Seth Arnold (community): Approve on 2014-08-15

lp:~twstd-dev/ubuntu-terminal-app/require-password-check

Merged into lp:ubuntu-terminal-app at revision 134

Ubuntu Phone Apps Jenkins Bot: Approve (continuous-integration) on 2014-09-04

Alan Pope 🍺🐧🐱 🦄 (community): Approve on 2014-08-29

Victor Thompson (community): Needs Information on 2014-08-27

Revision history for this message

David Planella (dpm) wrote on 2014-07-23:

- Is there an API for applications to request the status of the screenlock password?
- How can file manager determine if a directory is being exported over MTP?

Changed in ubuntu-filemanager-app:
status:	New → Incomplete
Changed in ubuntu-terminal-app:
status:	New → Incomplete

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2014-07-23:

> - Is there an API for applications to request the status of the screenlock password?

mterry told me you can do something like this:
09:02 < mterry> sudo -u phablet -i gdbus call --session
                --dest=com.canonical.UnityGreeter --object-path=/list
                --method=org.freedesktop.DBus.Properties.Get
                com.canonical.UnityGreeter.List EntryIsLocked

(you can make that an API call of course). Please talk to mterry if you have
questions with this API.

> - How can file manager determine if a directory is being exported over MTP?
>
09:17 < cyphermox> jdstrand: it's any files in the Downloads, Music, Documents,
                   Pictures, and Videos directories; that's all there is to it.
                   recognized extensions will get the files tagged as a
                   particular type, but they aren't filtered in any way

If you have other question regarding mtp, please talk to cyphermox.

Changed in ubuntu-filemanager-app:
status:	Incomplete → New
Changed in ubuntu-terminal-app:
status:	Incomplete → New

Jamie Strandboge (jdstrand) on 2014-07-24

tags:	added: rtm14
description:	updated

David Planella (dpm) on 2014-07-25

Changed in ubuntu-filemanager-app:
status:	New → Triaged
importance:	Undecided → High
Changed in ubuntu-terminal-app:
status:	New → Triaged
importance:	Undecided → High

Revision history for this message

Michael Terry (mterry) wrote on 2014-07-25:

And the following will tell you if the greeter is currently up:

sudo -u phablet -i gdbus call --session --dest=com.canonical.UnityGreeter --object-path=/ --method=org.freedesktop.DBus.Properties.Get com.canonical.UnityGreeter IsActive

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2014-07-25:

For this to work, the applications need to go through the PAM stack. This can serve as an example:
http://bazaar.launchpad.net/~unity-team/unity/trunk/view/head:/lockscreen/UserAuthenticatorPam.cpp

The solution for these apps should ideally be broken out into a library that both the terminal and the filemanager could use.

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2014-07-25:

Also, please have the ubuntu-security team audit this authentication plugin/library.

David Planella (dpm) on 2014-07-25

description:

updated

Revision history for this message

Arto Jalkanen (ajalkane) wrote on 2014-07-29:

I have changed importance to Critical, because without this fix it seems likely FileManager won't be allowed into store.

Changed in ubuntu-filemanager-app:
importance:	High → Critical

David Planella (dpm) on 2014-07-31

Changed in ubuntu-terminal-app:
importance:	High → Critical

David Planella (dpm) on 2014-08-01

Changed in ubuntu-filemanager-app:
assignee:	nobody → Arto Jalkanen (ajalkane)

Revision history for this message

Arto Jalkanen (ajalkane) wrote on 2014-08-06:

> mterry told me you can do something like this:
> 09:02 < mterry> sudo -u phablet -i gdbus call --session
> --dest=com.canonical.UnityGreeter --object-path=/list
> --method=org.freedesktop.DBus.Properties.Get
> com.canonical.UnityGreeter.List EntryIsLocked

This seems to only work if "Passphrase" is selected. When choosing from "Swipe (no security)" into "4-digit passcode", then this call still returns "false".

I'm using image 175 (devel-proposed). But anyway, I assume this is a something that's a bug in the backend and I can use the same DBus interface to query either type of lock type.

Revision history for this message

Michael Terry (mterry) wrote on 2014-08-07:

EntryIsLocked is only updated when the screen is turned off. So if you update your password type, it won't notice until you lock the screen. A bug, but not one that has affected anyone yet.

Thinking about what you'll need to implement this, it's probably better for you to query AccountsService's PasswordMode property for the current user -- if it is 2, they are in swipe mode, 0 for having set a password of some sort. And also the PasswordDisplayHint property on the com.ubuntu.AccountsService.SecurityPrivacy interface for the current user in AccountsService -- this will tell you whether it's a passcode (1) or passphrase (0).

Then you'd need to use PAM to actually authenticate.

Looking back at the description of this bug... Can a user do anything super awful in Terminal that they can't do using the phone in general? Anything that requires sudo will require the user's passcode already.

Revision history for this message

Arto Jalkanen (ajalkane) wrote on 2014-08-07:

> Thinking about what you'll need to implement this, it's probably better for you to query AccountsService's PasswordMode property for the current user

This seems more proper. I was looking at AccountService if it'd have ready method to validate password instead of using PAM directly. It did not, but I didn't happen to think about if it'd have some interface to query the lock status.

But I don't have time to change using AccountService APIs in this timeframe, but surely this is something that should be looked into in future.

> Looking back at the description of this bug... Can a user do anything super awful in Terminal that they can't do using the phone in
> general? Anything that requires sudo will require the user's passcode already.

The same, if more so, applies to FileManager (which is quite restricted in functionality compared to the power of terminal commands).

Revision history for this message

Ubuntu Phone Apps Jenkins Bot (ubuntu-phone-apps-jenkins-bot) wrote on 2014-08-15:

#10

Fix committed into lp:ubuntu-filemanager-app at revision 253, scheduled for release in ubuntu-filemanager-app, milestone alpha-1

Changed in ubuntu-filemanager-app:
status:	Triaged → Fix Committed

Revision history for this message

Olli Ries (ories) wrote on 2014-08-27:

#11

what is the status of this bug, is there anything we can help with?

Revision history for this message

Ubuntu Phone Apps Jenkins Bot (ubuntu-phone-apps-jenkins-bot) wrote on 2014-09-04:

#12

Fix committed into lp:ubuntu-terminal-app at revision 134, scheduled for release in ubuntu-terminal-app, milestone alpha-1

Changed in ubuntu-terminal-app:
status:	Triaged → Fix Committed

Alan Pope 🍺🐧🐱 🦄 (popey) on 2014-09-09

Changed in ubuntu-filemanager-app:
status:	Fix Committed → Fix Released
Changed in ubuntu-terminal-app:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.