Lock can be circumvented by switching tty when using lightdm

Thanks for taking the time to report this bug and helping to make Ubuntu better.
LightDM has an internal tool called dm-tool which provides some features for minimalist
window managers. Although it provides this tool, because of the many locking issues
it is not recommended to use it. So an alternative screen-locker application is necessary
to provide better security, one of them is light-locker, but there are many others.

Could you please install light-locker and test if the issue continues?
sudo apt install light-locker

For more information on light-locker:
https://github.com/the-cavalry/light-locker

If you still would like to see this implemented on LightDM, I would recommend going to the link
below and asking on the issues section. Please understand that this might never be implemented
by the developers and they might comment why.
https://github.com/CanonicalLtd/lightdm

Installing light-locker does indeed fix the issue.

But my problem is not that lightdm is insecure, but that the user is not alerted of this insecurity, and can introduce serious vulnerabilities into their system by doing seemingly innocent customizations.

I think this could just be fixed by adding light-locker as a dependency for lightdm.

Disregard my previous comment, installing light-locker does NOT fix the issue. (I was accidentally testing it on wayland :s)

So adding light-locker as a dependency will not work, and I think that if the lightdm developers are not willing to fix the issue, we should just remove the package from future releases of ubuntu.

I have read that it doesn't seem to be lightdm's fault that this happens, but i don't know who is responsible then? I've read that apparently they just call "loginctl lock-session", but this does nothing. Should that be fixed perhaps?

Hi smurfendrek,

How did you lock your session? keyboard shortcuts?

Have you executed the following after install?
$ light-locker
$ light-locker-command -l

I will try later today to reproduce this.

I locked my session by clicking the lock icon in the top right.

I did run light-locker, but not light-locker-command -l

I will try doing this.

running light-locker-command -l gives me this output:

** Message: 14:57:09.230: Received error message from the locker: GDBus.Error:org.freedesktop.DBus.Error.NotSupported: This method is not implemented

It looks like light-locker is not running, please check this: https://github.com/the-cavalry/light-locker/issues/97

Is there a particular reason for using LightDM instead of GDM?
I am asking this because I was looking at your previous comment:
'So adding light-locker as a dependency will not work, and I think that
if the lightdm developers are not willing to fix the issue, we should just
remove the package from future releases of ubuntu.'

And it looks like you want an 'one solution fits all' kind of environment.
If this is what you are looking for, you should install a DE (desktop environment,
such as Gnome or KDE) an stick with it.
If you want to customize/change components or even not depend on a DE, then you need
to understand that each package has a specific purpose and that you will have to search
for optional dependencies to achieve what you want.
We cannot add light-locker as a dependency to LightDM because it is not true, you
could install any other alternative screenlocker, not necessarily light-locker.
The more you want to make things your way, the more you need to know and search.

I hope I answered your doubt on why this not a problem of LightDM.

Regarding the problems you are facing with light-locker I think it is misconfiguration
and I will help you on this, it might turn out to be a real problem that we will need
to report.

I'm reporting this bug, not for personal reasons, but for concern for users that just like the look of lightdm, and install lightdm without thinking more about it. They get no warnings, and they open themselves up to a massive vulnerability, while the proper configuration should have been done automatically either by dkpg-reconfigure or by apt itself.

This is not an issue i ran into myself, but an issue I found on the computers at the cs department of my university. The computers there are used by multiple people with a sso system. This exploit allowed me full access to the user accounts of a significant amount of users, all because a sysadmin was unaware of this problem.

I agree that adding light-locker as a dependency might not be the best solution, but there should at least be warnings.

I tried applying the fix in the light locker issue. However that did not help (even after rebooting):

frederik@frederik-Standard-PC-i440FX-PIIX-1996:~$ cat ~/.config/autostart/org.gnome.SettingsDaemon.ScreensaverProxy.desktop
[Desktop Entry]
Hidden=false
frederik@frederik-Standard-PC-i440FX-PIIX-1996:~$ light-locker

** (light-locker:2868): WARNING **: 15:46:00.883: screensaver already running in this session
frederik@frederik-Standard-PC-i440FX-PIIX-1996:~$ light-locker-command -l
** Message: 15:46:03.636: Received error message from the locker: GDBus.Error:org.freedesktop.DBus.Error.NotSupported: This method is not implemented

Just a quick check, did you reboot after creating the file ~/.config/autostart/org.gnome.SettingsDaemon.ScreensaverProxy.desktop ? Because it looks like it is still running the ScreensaverProxy

Yes, i have rebooted, and i ran the commands again, and still it gives the same output, and the exploit persists.

Can you please try the following?

gsettings get org.gnome.settings-daemon.plugins.screensaver-proxy active

If it returns true, would you please run this:

gsettings set org.gnome.settings-daemon.plugins.screensaver-proxy active false

Hopefully this will allow to run light-locker again.

I will start a VM and run some tests and see if I reproduce.

Thanks so far for all the testing and infos

Running the gsettings commands and then light-locker does not help, it gives the same output still.

Yep, I was able to reproduce here, and it seems like light-locker is not working well with the current version of Gnome (or LightDM) on bionic. My suggestion is that you create a bug on light-locker's github page and try to get some feedback from them. My other suggestion is to install another screen locker if you still want to use LightDM (apt search screen lock ... should give you a pair of tools available). If LightDM is not really a necessity, then perhaps you stick with GDM+Gnome (GNOME DE). There's not much else that we can do from our side, this needs to be taken care by upstream developers in any of the projects (LightDM or light-locker).
Thanks for trying it and helping investigate. If you run into any other problems feel free to report to us in a new bug

Relevant light-locker issue: https://github.com/the-cavalry/light-locker/issues/121

But in the meantime, don't you think that there should be a warning when using lightdm because it is impossible to use it securely?

Thanks for reporting it to upstream.
LightDM and light-locker for Ubuntu 18.04 are in universe, which is community
maintained. So there's nothing else that we can do.
I would appreciate with you continue to coordinate with upstream and if there's
a new fixed version of any of the packages feel free to inform here in this
ticket and to post a debdiff to this issue.
Whenever a community user posts a debdiff for a universe package, we members of
the security team will review it and publish the package. For more information
see: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

I will turn this ticket Public, so any other users can be aware of issues when
combining those packages. This is the warning that we can publish. Are you ok
with making this public?

Yes, making it public is okay with me

I'm commenting to let other people know and be aware that this issue persists on Ubuntu 20.04 with lightdm 1.30.0