Lock can be circumvented by switching tty when using lightdm
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lightdm (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
Steps to reproduce (only works on X11, not on wayland):
1) install lightdm
a) run "sudo apt install lightdm" on a fresh 18.04 install of ubuntu
b) switch to lightdm with "sudo dpkg-reconfigure gdm3"
c) reboot to make the login manager switch take effect
2) log in to your account
3) click switch user (clicking lock should also work) in the dropdown in the top right corner
4) switch to a different tty (ctrl+alt+f2 for example)
5) switch back to your original tty (with lightdm usally tty 7)
You are now logged back in your account without having to type your password.
I have marked lightdm as the vulnerable package because all I had to do to reproduce the issue was install lightdm with "sudo apt install lightdm" and then switch to lightdm with "sudo dpkg-reconfigure gdm3"
So I think something should either be changed in lightdm or in dpkg-reconfigure.
I have been told that I should be using light-locker instead of dm-tool, but I have no idea what those things are, or how to switch between them, i'm just clicking switch user.
The user does not know, and is never informed of the existence of these tools.
Since neither apt, nor dpkg-reconfigure warns me that i should use lightlocker instead of dm-tool, I think this is still a security vulnerability, because a user that wants to use lightdm and installs it by quickly searching online for "how to switch login managers" will not be informed of this vulnerability.
Extra info:
ubuntu 18.04 (fully up to date)
lightdm version 1.26.0-0ubuntu1
affects: | lxsession (Ubuntu) → lightdm (Ubuntu) |
description: | updated |
description: | updated |
description: | updated |
tags: | added: community-security |
information type: | Private Security → Public Security |
Thanks for taking the time to report this bug and helping to make Ubuntu better.
LightDM has an internal tool called dm-tool which provides some features for minimalist
window managers. Although it provides this tool, because of the many locking issues
it is not recommended to use it. So an alternative screen-locker application is necessary
to provide better security, one of them is light-locker, but there are many others.
Could you please install light-locker and test if the issue continues?
sudo apt install light-locker
For more information on light-locker: /github. com/the- cavalry/ light-locker
https:/
If you still would like to see this implemented on LightDM, I would recommend going to the link /github. com/CanonicalLt d/lightdm
below and asking on the issues section. Please understand that this might never be implemented
by the developers and they might comment why.
https:/