require screenlock password (if set)

Bug #1347010 reported by Jamie Strandboge on 2014-07-22
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu File Manager App
Critical
Arto Jalkanen
Ubuntu Terminal App
Critical
Unassigned

Bug Description

Ubuntu Touch will soon have the ability to set a PIN/password for the user. If the password is set, we should limit access to the terminal and the filemanager to guard against sideloading apps when lending a phone to someone who does not know the PIN/password.

For the terminal, we should unconditionally require the screenlock password when one is set on application launch. See https://ubuntu.mybalsamiq.com/projects/ubuntuphonecoreapps/Terminal%20security

For the file manager, we should allow passwordless access to MTP-exported directories, and require the screenlock password when one is set when accessing non-MTP-exported directories. This can be implemented as a button (or similar): 'Show all files' which when clicked should prompt for the password (if set). 'Show all files' should not be remembered between application invocations.

IMPORTANT: this only covers a very limited set of attack scenarios, but does guard against casual trojanning when lending a phone to a stranger. Notably, it does not cover sideloading via adb.

FYI, these changes are required for RTM, so I added the appropriate tag. The Importance should be at least 'High'.

Related branches

David Planella (dpm) wrote :

- Is there an API for applications to request the status of the screenlock password?
- How can file manager determine if a directory is being exported over MTP?

Changed in ubuntu-filemanager-app:
status: New → Incomplete
Changed in ubuntu-terminal-app:
status: New → Incomplete
Jamie Strandboge (jdstrand) wrote :

> - Is there an API for applications to request the status of the screenlock password?

mterry told me you can do something like this:
09:02 < mterry> sudo -u phablet -i gdbus call --session
                --dest=com.canonical.UnityGreeter --object-path=/list
                --method=org.freedesktop.DBus.Properties.Get
                com.canonical.UnityGreeter.List EntryIsLocked

(you can make that an API call of course). Please talk to mterry if you have
questions with this API.

> - How can file manager determine if a directory is being exported over MTP?
>
09:17 < cyphermox> jdstrand: it's any files in the Downloads, Music, Documents,
                   Pictures, and Videos directories; that's all there is to it.
                   recognized extensions will get the files tagged as a
                   particular type, but they aren't filtered in any way

If you have other question regarding mtp, please talk to cyphermox.

Changed in ubuntu-filemanager-app:
status: Incomplete → New
Changed in ubuntu-terminal-app:
status: Incomplete → New
tags: added: rtm14
description: updated
David Planella (dpm) on 2014-07-25
Changed in ubuntu-filemanager-app:
status: New → Triaged
importance: Undecided → High
Changed in ubuntu-terminal-app:
status: New → Triaged
importance: Undecided → High
Michael Terry (mterry) wrote :

And the following will tell you if the greeter is currently up:

sudo -u phablet -i gdbus call --session --dest=com.canonical.UnityGreeter --object-path=/ --method=org.freedesktop.DBus.Properties.Get com.canonical.UnityGreeter IsActive

Jamie Strandboge (jdstrand) wrote :

For this to work, the applications need to go through the PAM stack. This can serve as an example:
http://bazaar.launchpad.net/~unity-team/unity/trunk/view/head:/lockscreen/UserAuthenticatorPam.cpp

The solution for these apps should ideally be broken out into a library that both the terminal and the filemanager could use.

Jamie Strandboge (jdstrand) wrote :

Also, please have the ubuntu-security team audit this authentication plugin/library.

David Planella (dpm) on 2014-07-25
description: updated
Arto Jalkanen (ajalkane) wrote :

I have changed importance to Critical, because without this fix it seems likely FileManager won't be allowed into store.

Changed in ubuntu-filemanager-app:
importance: High → Critical
David Planella (dpm) on 2014-07-31
Changed in ubuntu-terminal-app:
importance: High → Critical
David Planella (dpm) on 2014-08-01
Changed in ubuntu-filemanager-app:
assignee: nobody → Arto Jalkanen (ajalkane)
Arto Jalkanen (ajalkane) wrote :

> mterry told me you can do something like this:
> 09:02 < mterry> sudo -u phablet -i gdbus call --session
> --dest=com.canonical.UnityGreeter --object-path=/list
> --method=org.freedesktop.DBus.Properties.Get
> com.canonical.UnityGreeter.List EntryIsLocked

This seems to only work if "Passphrase" is selected. When choosing from "Swipe (no security)" into "4-digit passcode", then this call still returns "false".

I'm using image 175 (devel-proposed). But anyway, I assume this is a something that's a bug in the backend and I can use the same DBus interface to query either type of lock type.

Michael Terry (mterry) wrote :

EntryIsLocked is only updated when the screen is turned off. So if you update your password type, it won't notice until you lock the screen. A bug, but not one that has affected anyone yet.

Thinking about what you'll need to implement this, it's probably better for you to query AccountsService's PasswordMode property for the current user -- if it is 2, they are in swipe mode, 0 for having set a password of some sort. And also the PasswordDisplayHint property on the com.ubuntu.AccountsService.SecurityPrivacy interface for the current user in AccountsService -- this will tell you whether it's a passcode (1) or passphrase (0).

Then you'd need to use PAM to actually authenticate.

Looking back at the description of this bug... Can a user do anything super awful in Terminal that they can't do using the phone in general? Anything that requires sudo will require the user's passcode already.

Arto Jalkanen (ajalkane) wrote :

> Thinking about what you'll need to implement this, it's probably better for you to query AccountsService's PasswordMode property for the current user

This seems more proper. I was looking at AccountService if it'd have ready method to validate password instead of using PAM directly. It did not, but I didn't happen to think about if it'd have some interface to query the lock status.

But I don't have time to change using AccountService APIs in this timeframe, but surely this is something that should be looked into in future.

> Looking back at the description of this bug... Can a user do anything super awful in Terminal that they can't do using the phone in
> general? Anything that requires sudo will require the user's passcode already.

The same, if more so, applies to FileManager (which is quite restricted in functionality compared to the power of terminal commands).

Fix committed into lp:ubuntu-filemanager-app at revision 253, scheduled for release in ubuntu-filemanager-app, milestone alpha-1

Changed in ubuntu-filemanager-app:
status: Triaged → Fix Committed
Olli Ries (ories) wrote :

what is the status of this bug, is there anything we can help with?

Fix committed into lp:ubuntu-terminal-app at revision 134, scheduled for release in ubuntu-terminal-app, milestone alpha-1

Changed in ubuntu-terminal-app:
status: Triaged → Fix Committed
Changed in ubuntu-filemanager-app:
status: Fix Committed → Fix Released
Changed in ubuntu-terminal-app:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers