It's possible to bypasss lockscreen if user is in nopasswdlogin group.
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Unity |
Fix Released
|
Medium
|
Andrea Azzarone | ||
7.2 |
In Progress
|
Medium
|
Stephen M. Webb | ||
unity (Ubuntu) |
Fix Released
|
Medium
|
Andrea Azzarone | ||
Trusty |
Fix Released
|
Medium
|
Stephen M. Webb |
Bug Description
[IMPACT]
A user is presented with a password dialog even if a member of the nopasswdlogin group (and may not have a password).
[TEST CASE]
(1) Create a test user.
(2) Add the test user to the nopasswdlogin group.
(3) Log in to a Unity session using that acocunt.
(4) Lock the screen.
(5) Attempt to unlock the screen: no password prompt should be presented.
[REGRESSION POTENTIAL]
Conceivably allowing a login with no authentication could present unexpected vulnerabilities in which unforseen code paths also exercise this function. Care has been taken by the developer to avoid such cases.
[OTHER INFO]
The fix for Ubuntu 14.04 LTS was cherry picked from the Ubuntu "Vivid Vervet" dev release where it has been in production use for some time without apparent regression.
Related branches
- Stephen M. Webb (community): Approve
- PS Jenkins bot (community): Approve (continuous-integration)
-
Diff: 54 lines (+18/-1)2 files modifiedUnityCore/GnomeSessionManager.cpp (+16/-1)
UnityCore/GnomeSessionManagerImpl.h (+2/-0)
- Christopher Townsend: Approve
-
Diff: 54 lines (+18/-1)2 files modifiedUnityCore/GnomeSessionManager.cpp (+16/-1)
UnityCore/GnomeSessionManagerImpl.h (+2/-0)
no longer affects: | unity (Ubuntu) |
description: | updated |
summary: |
- Lightdm should not emit logind "unlock" signal when the user is in - nopasswdlogin group. + It's possible to bypasss lockscreen if user is in nopasswdlogin group. |
no longer affects: | gnome-session (Ubuntu) |
Changed in unity: | |
milestone: | none → 7.3.1 |
assignee: | nobody → Andrea Azzarone (andyrock) |
Changed in unity (Ubuntu): | |
assignee: | nobody → Andrea Azzarone (andyrock) |
Changed in unity: | |
status: | New → In Progress |
Changed in unity (Ubuntu): | |
status: | New → In Progress |
Changed in lightdm (Ubuntu): | |
status: | New → Invalid |
Changed in lightdm: | |
status: | New → Invalid |
no longer affects: | lightdm (Ubuntu) |
no longer affects: | lightdm |
Changed in unity: | |
status: | In Progress → Fix Committed |
Changed in unity: | |
status: | Fix Committed → Fix Released |
Changed in unity: | |
importance: | Undecided → Medium |
Changed in unity (Ubuntu): | |
importance: | Undecided → Medium |
Changed in unity (Ubuntu Trusty): | |
status: | New → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Stephen M. Webb (bregma) |
description: | updated |
tags: |
added: verification-done removed: verification-needed |
Not sure who's emitting the "unlock" signal: lightdm or gnome-session or what?