Notification popup before login -> app started w/o login
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gdm |
New
|
Unknown
|
|||
gdm3 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned |
Bug Description
== General pattern ==
In gdm login screen, while no one is logged in, notification popups are shown. An unauthenticated person at the keyboard can interact with these popups to start applications.
== Concrete Example ==
I've got a separate storage disk that is nearly full (just /storage with photos etc., / is on another device and has plenty of space). I get a notification popup 'Disk space is low on /storage.' with options to either 'ignore' or to 'examine' it (it's silly to notify me about shortage on this disk, but that's another topic). When I click 'examine' baobab is started as user gdm, as I can see in 'ps' on a console terminal'. It's not visible on screen, it's supposedly somewhere 'behind' the gdm screen.
== Expected behaviour ==
As long nobody is logged in, gdm doesn't start any applications.
I don't see much use for popups before login at all (imagine a popup 'New file Surprise_
== Security implications ==
Even though the application is not visible in this case, the behaviour does not provide any use to the user. Contrarily, a popup targeting logged in users could unintentionally compromise security. Imagine e.g. a case where a popup allows the not-logged-in person in front of the machine to specify actions beyond starting a specific application (something like 'Problem with flux capacitor detected. Click here to run flux-fix, or here, to specify a custom command in popup input field').
This is just a light hint that there *might* be a security issue. There might be countermeasures (namely popups' general abilities) to prevent such a scenario. Please feel free to re-classify accordingly.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: gdm3 3.36.3-
ProcVersionSign
Uname: Linux 5.8.0-44-generic x86_64
ApportVersion: 2.20.11-
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: X-Cinnamon
Date: Sat Mar 20 22:57:15 2021
InstallationDate: Installed on 2020-04-24 (329 days ago)
InstallationMedia: Ubuntu 20.04 LTS "Focal Fossa" - Release amd64 (20200423)
SourcePackage: gdm3
UpgradeStatus: No upgrade log present (probably fresh install)
Changed in gdm3 (Ubuntu): | |
status: | New → Confirmed |
Changed in gdm: | |
status: | Unknown → New |
Thanks for the report. Making this public to get the Desktop team to take a look at this.