Unity Lockscreen still shows unlocked desktop while shutting down
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
indicator-session (Ubuntu) |
Fix Released
|
High
|
Andrea Azzarone | ||
Trusty |
Fix Released
|
High
|
Andrea Azzarone | ||
unity (Ubuntu) |
Fix Released
|
High
|
Andrea Azzarone | ||
Trusty |
Fix Released
|
High
|
Andrea Azzarone |
Bug Description
This was reported and supposedly fixed in https:/
[Impact and Test Case]
Steps to reproduce:
1 - Log into Unity
2 - Open a terminal.
3 - Lock the screen
4 - From the lockscreen, tell the computer to shut down / restart
Expected behavior:
* Session programs are closed while the screen is still locked
* During shutdown, no user interaction is possible
Observed behavior:
* The lockscreen is gone immediately, with the rest of compiz (e.g. window decorations are not present)
* But it's possible to interact with programs that are still running in the session for about 3 seconds
Observed on an updated Trusty machine, running unity version 7.2.5+14.
This bug is a security vulnerability because during those 3 seconds it could be possible to access and interact with sensitive information. Yes, it's short, but you could take a picture or even rm -rf / if there happened to be a root console available.
=====
[Impact]
A lockscreen should hide the screen content no matter what. A the moment there is no easy way to provide a good shutdown experience if the screen is locked so it's better to disable it. Please note that you can still shut down the system if the screen is locked just switching to unity-greeter using "Swtich Account..." (it's safe in this case)
Needs to be backported to 14.04 LTS because can affect security.
[Test Case]
1 - Lock the screen
2 - Push the hw shutdown button.
3 - Make sure that there is no shutdown option in the end of session dialog.
1 - Lock the screen
2 - Open the session indicator
3 - Make sure there is no shutdown option in the drop down menu
[Regression Potential]
None.
Related branches
- Marco Trevisan (Treviño): Approve
-
Diff: 113 lines (+40/-15)2 files modifieddebian/changelog (+14/-0)
src/service.c (+26/-15)
- Marco Trevisan (Treviño): Approve
- PS Jenkins bot (community): Approve (continuous-integration)
-
Diff: 62 lines (+11/-9)1 file modifiedsrc/service.c (+11/-9)
- Marco Trevisan (Treviño): Approve
- PS Jenkins bot (community): Needs Fixing (continuous-integration)
-
Diff: 12 lines (+1/-1)1 file modifiedUnityCore/GnomeSessionManager.cpp (+1/-1)
- Andrea Azzarone (community): Approve
-
Diff: 1554 lines (+547/-141)43 files modifiedCMakeLists.txt (+1/-1)
ChangeLog (+182/-0)
UnityCore/GLibDBusProxy.cpp (+16/-3)
UnityCore/GnomeSessionManager.cpp (+6/-1)
dash/DashController.cpp (+2/-0)
dash/DashController.h (+0/-1)
dash/DashView.cpp (+72/-32)
dash/DashView.h (+3/-3)
dash/PlacesGroup.cpp (+13/-2)
dash/PlacesGroup.h (+1/-0)
dash/ResultView.cpp (+25/-0)
dash/ResultView.h (+6/-4)
dash/ResultViewGrid.cpp (+29/-13)
dash/ScopeView.cpp (+20/-22)
dash/ScopeView.h (+2/-0)
debian/changelog (+51/-0)
decorations/DecoratedWindow.cpp (+5/-0)
decorations/DecoratedWindow.h (+1/-0)
decorations/DecorationsManager.cpp (+5/-1)
hud/HudButton.cpp (+0/-5)
hud/HudController.cpp (+2/-0)
hud/HudController.h (+0/-1)
launcher/DeviceNotificationDisplayImp.cpp (+0/-1)
launcher/LauncherController.cpp (+2/-2)
launcher/LauncherIcon.cpp (+9/-4)
panel/PanelView.cpp (+18/-0)
panel/PanelView.h (+1/-0)
plugins/unityshell/src/unityshell.cpp (+16/-2)
plugins/unityshell/unityshell.xml.in (+6/-0)
unity-shared/BGHash.cpp (+5/-2)
unity-shared/CompizUtils.cpp (+0/-3)
unity-shared/OverlayRenderer.cpp (+2/-0)
unity-shared/OverlayScrollView.cpp (+5/-1)
unity-shared/OverlayScrollView.h (+2/-0)
unity-shared/OverlayWindowButtons.cpp (+3/-3)
unity-shared/PlacesOverlayVScrollBar.cpp (+5/-0)
unity-shared/PlacesOverlayVScrollBar.h (+8/-6)
unity-shared/PluginAdapter.cpp (+5/-1)
unity-shared/SearchBar.cpp (+9/-23)
unity-shared/SearchBar.h (+1/-3)
unity-shared/UnitySettings.cpp (+6/-1)
unity-shared/UnitySettings.h (+1/-0)
unity-shared/WindowButtons.cpp (+1/-0)
Changed in unity: | |
assignee: | nobody → Andrea Azzarone (azzar1) |
Changed in unity (Ubuntu): | |
assignee: | nobody → Andrea Azzarone (azzar1) |
Changed in unity: | |
importance: | Undecided → High |
Changed in indicator-session (Ubuntu): | |
assignee: | nobody → Andrea Azzarone (azzar1) |
importance: | Undecided → High |
Changed in unity (Ubuntu): | |
importance: | Undecided → High |
Changed in unity: | |
status: | New → In Progress |
Changed in indicator-session (Ubuntu): | |
status: | New → In Progress |
Changed in unity (Ubuntu): | |
status: | New → In Progress |
description: | updated |
description: | updated |
Changed in unity: | |
status: | In Progress → Fix Committed |
Changed in unity: | |
milestone: | none → 7.3.3 |
status: | Fix Committed → Fix Released |
Changed in indicator-session (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in unity (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in indicator-session (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in unity (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in indicator-session (Ubuntu Trusty): | |
assignee: | nobody → Andrea Azzarone (azzar1) |
Changed in unity (Ubuntu Trusty): | |
assignee: | nobody → Andrea Azzarone (azzar1) |
information type: | Public → Public Security |
no longer affects: | unity |
no longer affects: | unity/7.2 |
Andrea, this bug is just a new filing for https:/ /bugs.launchpad .net/ubuntu/ +source/ unity/+ bug/1370017 which is still not fixed in Trusty. The verification instructions in that bug were wrong, and thus it's marked as "Fix Released" when it's actually not fixed at all.
If it has actually been fixed in vivid, maybe the backported patch missed something?