Lock screen can be bypassed when auto-login is enabled.

Bug #1706770 reported by Chris Gavin on 2017-07-26
270
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Ubuntu MATE
High
Unassigned
lightdm (Ubuntu)
Undecided
Unassigned
mate-session-manager (Ubuntu)
High
Unassigned

Bug Description

16.04 LTS
=========

Hi,

My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot.

When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password.

Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled).

Thanks,
Chris

Changed in ubuntu-mate:
importance: Undecided → High
Changed in mate-session-manager (Ubuntu):
importance: Undecided → High
Marc Deslauriers (mdeslaur) wrote :

Hi! Can I make this bug public so more developers can see it?
Thanks!

Chris Gavin (chrisgavin) wrote :

That's fine with me.

information type: Private Security → Public Security
Douglas Silva (o-alquimista) wrote :

Unable to reproduce this in Ubuntu MATE 17.04. I use full-disk encryption too and enabled auto-login as well.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lightdm (Ubuntu):
status: New → Confirmed
Changed in mate-session-manager (Ubuntu):
status: New → Confirmed
Chris Gavin (chrisgavin) wrote :

If it helps, I've reproduced this in a fresh Ubuntu Mate virtual machine.

1. Install Ubuntu Mate following all the usual steps until you get to the account creation screen.
2. Create a user account with a password and leave "require password at login" checked.
3. Finish installation and reboot.
4. Go to "System" -> "Administration" -> "Users and Groups".
5. Change password from "Asked on logon" to "Not asked on logon".
6. Lock your machine.
7. Press "Switch User".
8. Observe no password is required to unlock as the current user.

For some reason, the problem doesn't happen when you set your account to not require a password at installation. Even more oddly, the user account still shows "Asked on logon" for the user created at installation, even though the option to not require a password was checked, and seems to be effective at boot. I guess they must just be implemented in different ways.

Chris Gavin (chrisgavin) wrote :

After a bit more investigation, being in the `nopasswdlogin` group is what causes the switch-user screen to not ask for a password.

Having `autologin-user` set to your username in /etc/lightdm/lightdm.conf is what works correctly.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers