Security flaw that current session is NOT locked when switch user is invoked
Bug #48450 reported by
Julian Yap
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| gnome-screensaver (Ubuntu) |
Invalid
|
Medium
|
Unassigned | ||
Bug Description
This also relate to Launchpad bug 47005 where I have added additional comments.
To reproduce bug:
1. Log in as user 'A'. X session starts up on Virtual Console 7.
2. Invoke the 'Quit...' dialog.
3. Click on 'Switch User'. Another GDM login screen is started up on Virtual Console 8.
4. Switch back to Virtual Console 7 using CTRL+ALT+7. Session is NOT locked and you are free to do as you please as user 'A'.
This is a regression from Breezy which employed XScreensaver vs. Gnome Screensaver and used gdmflexiserver as the Fast User switching mechanism.
Revision history for this message
| Sebastien Bacher (seb128) wrote | #1 |
Revision history for this message
| Timo Aaltonen (tjaalton) wrote | #2 |
Revision history for this message
| Timo Aaltonen (tjaalton) wrote | #3 |
Revision history for this message
| Kees Cook (kees) wrote | #4 |
| Changed in gnome-screensaver: | |
| status: | Unconfirmed → Needs Info |
Revision history for this message
| Daniel Holbach (dholbach) wrote | #5 |
| Changed in gnome-screensaver: | |
| status: | Needs Info → Rejected |
To post a comment you must log in.
Thanks for your bug. gnome-screensaver locks the screen when gdmflexiserver is launched on my dapper installation, maybe that's an issue on your installation. Reassigning to gnome-screensaver any, gnome-session just call gdmflexiserver and gnome-screensaver should do the locking