local screen unlocked by remote connection via VNC

Bug #484476 reported by Paolino Paperino
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
One Hundred Papercuts
Invalid
Undecided
Unassigned
vino (Ubuntu)
Won't Fix
Wishlist
Unassigned

Bug Description

If one leaves the system with the screen locked and then do connect remotely to it via VNC protocol, the screen gets unlocked also *locally*, so a person physically attending in front of the workstation can access to the system *without* password and then interfere and/or eavesdrop the remote session.
Conversely, with terminal services on Windows, the screen stays rightly locked during remote sessions. On Ubuntu via VNC there should be the same behavior.

Sorry for bad English, I am Italian-only speaking.

visibility: private → public
Revision history for this message
Ludwin Janvier (lud-janvier) wrote :

In fact, it depends on the way you launched you vnc server.
When I launch a new vnc server (command "vncserver"), it starts a new X server with a virtual screen. This is really secure, because there are no physical screen attached to it, so a bad guy in front of the workstation can't access it.

Which tool/command are you using to start your vnc server ?

I think a real X server shared with VNC should not be locked when a VNC client is connecting :a lot of people (hum... me) are using this behavior to remotely help and train my end-users.

Revision history for this message
Ludwin Janvier (lud-janvier) wrote :

I think you're using x11vnc to access your real X server. There's an answer about this in its FAQ:
http://www.karlrunge.com/x11vnc/faq.html#faq-blockdpy

Revision history for this message
Paolino Paperino (paolinodnlms) wrote :

Hi, actually I did not start the vnc server from commandline, I started it as a normal user would do, from System -> Preferences -> Remote desktop.
The way this utility ("vino") behaves expose the average user accustomed to Microsoft's remote desktop to a serious security breach.
I wasn't able to find out a vncserver in KK, it is not n path and there is nothing too in /etc/init.d/v*.
I have not idea what weird way vnc server is implemented to in KK.

Revision history for this message
Ludwin Janvier (lud-janvier) wrote :

There's no "weird way" for vnc server in KK. You just have to install it :
sudo apt-get install vnc4server
or
sudo apt-get install tightvncserver
at your option.

There won't be a vnc service: each user can run as many "vncserver" he needs.

Revision history for this message
Paolino Paperino (paolinodnlms) wrote :

I am actually speaking about "vino" the vnc server (yes, it speaks vnc protocol) that comes with KK as default.Do you think the average user has the skills to install his own alternate vnc server? Think about the average Windows user...
IMHO the average user should have the same functionalities as M$ RDP with same ease of use and security. At this moment the RD implementation in KK is in my opinion insecure.

affects: ubuntu → vino (Ubuntu)
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Confirmed, a remote user connecting to vino actually controls the physical computer's screen.

Changed in vino (Ubuntu):
status: New → Confirmed
importance: Undecided → Wishlist
Revision history for this message
Vish (vish) wrote :

Thank you for bringing this bug to our attention. However, a paper cut should be a small usability issue, in the default Ubuntu install, that affects many people and is quick and easy to fix. So this bug can't be addressed as part of this project.

- Though this is a security flaw , we do not expect an average user to use VNC and remote connection. Not a papercut
For further information about papercuts criteria, please read https://wiki.ubuntu.com/PaperCut.

Don't worry though, this bug has been marked as "Invalid" only in the papercuts project.

Changed in hundredpapercuts:
status: New → Invalid
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. The issue you are reporting is an upstream one and it would be nice if somebody having it could send the bug to the developers of the software by following the instructions at https://wiki.ubuntu.com/Bugs/Upstream/GNOME. If you have done so, please tell us the number of the upstream bug (or the link), so we can add a bugwatch that will inform us about its status. Since this bug has received no activity for a year, I am marking the Ubuntu task as "Won't Fix" for now. If there is progress made on this bug such that a developer can incorporate the changes into Ubuntu, please reopen/file a new bug. Thanks in advance.

Changed in vino (Ubuntu):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.