Ubuntu
indicator-session package

Guest users can resturn to admin with no password prompt

Bug #919498 reported by AJenbo on 2012-01-21

258

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	indicator-session (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

Senario:

Admin clicks his Me-menu and selects the guest session to allow a untrusted person to use the computer. Simply pressing ctrl+alt+f7 returns back to the admins screen with out a password prompt and might even preforme administrative tasks if sudo is still elivated.

Note the guest session would here be found under ctrl+alt+f8

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-01-27:

#1

What release of Ubuntu are you using, and could you please give the exact steps necessary to reproduce this?

Thanks.

visibility:	private → public
Changed in lightdm (Ubuntu):
status:	New → Incomplete

Revision history for this message

AJenbo (ajenbo) wrote on 2012-01-27:

#2

Ubuntu 11.10

Log in to the desktop of your admin.
Press the name in the upper right and pick Guest Session.
Press ctrl+alt+f7

The guest user is not back on the admins desktop with out being prompted for a password.

Revision history for this message

Sebastien Bacher (seb128) wrote on 2012-01-27:

#3

the indicator should be locking the session, I can't confirm the issue there

what screensaver do you use?

affects:	lightdm (Ubuntu) → indicator-session (Ubuntu)
Changed in indicator-session (Ubuntu):
status:	Incomplete → New

Revision history for this message

AJenbo (ajenbo) wrote on 2012-01-27: Re: [Bug 919498] Re: Guest users can resturn to admin with no password prompt

#4

I haven't set a screensaver but upgradet from 11.04

Revision history for this message

AJenbo (ajenbo) wrote on 2012-01-27:

#5

I just tested on a clean install of 11.10 and here the issue does not appear. I'll retest on my laptop when i get home later today.

Revision history for this message

AJenbo (ajenbo) wrote on 2012-01-27:

#6

Ok seams it is different then i remembered it, what you have to do is the following:

Log in to your account.
Press ctrl+alt+f8 (this will work weather you have already started a guest session or not)
Pressing ctrl+alt+f7 will bring you back to your personal session with out a password prompt.

So the issue is still there but luckily slightly less likely to be exposed.

Revision history for this message

Marc Deslauriers (mdeslaur) wrote on 2012-02-06:

#7

This is expected behaviour. If you are manually changing virtual terminals, nothing is locking your screen. If you want your screen locked, you need to lock it manually before changing virtual terminals.

Changed in indicator-session (Ubuntu):
status:	New → Invalid

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.