Ubuntu
gnome-screensaver package

Gnome-screensaver does not lock if "turn screen off" is disabled

Bug #1247683 reported by Tony Whelan
262
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gnome-screensaver (Ubuntu)
Confirmed
Medium
Matthew Paul Thomas

Bug Description

The "Screensaver & Lock settings dialog" for the gnome screensaver is misleading and is a security risk.

It allows you to specify whether or not the screen will be turned off after a certain time, and it allows you to specify whether or not the session will lock (and require a password) after a certain time. The dialog presents these as indpeendent options, but in reality, the lock will NEVER operate unless you also enable "Turn screen off ...".

The "Lock" option should be grayed out/disabled if "Turn screen off" is not enabled.

Much better would be to change the code so that the two functions are independent of each other. Surely it should be possible to lock the session after a set time even if you don't have the screen set to turn off.

As it stands, users can be fooled into thinking that their session will lock after a set time when in reality that will not happen unless they have also enabled "Turn screen off".

In addition, at present the Lock options for 30 secs, 1 minute, etc actually represent the time delay AFTER the screen is turned off. So for example if you set "Turn screen off" to 5 minutes and "Lock" to 2 minutes, the session will lock after 5+2 = 7 minutes.

Tony Whelan (tony-whelan)
information type: Private Security → Public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Subscribing mpt to get some design input of this issue.

Changed in gnome-screensaver (Ubuntu):
status: New → Confirmed
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Time-based locking is unlikely to ever work correctly with X11; see also bug 49579.

If having your session locked when you are away is important to you, you should be locking your session manually before leaving.

Thanks

Revision history for this message
Tony Whelan (tony-whelan) wrote :

Seth, thanks for the reference to bug 49579. I can see it's a messy issue.

I don't have a problem with manually locking the screen, especially as I have worked in secure Defence facilities where that is standard pracrtice.

But I do have a problem with a software interface that falsely claims to provide a facility which in fact doesn't work correctly if at all.

To get rid of the immediate problem, distros could get rid of the broken "Lock" setting from the settings menu, and instead just add a notice that CTRL-ALT-L (or whatever) will lock the screen.

The security issue is not that there isn't an effective automatic lock, but that the software creates a false and misleading impression that such a facility exists.

My programming days are long over (anyone remember assembly language?), and I don't know what is involved in removing the "Lock" setting from the Screensaver/Lock dialog box. If I did know, I'd do it myself.

Matthew Paul Thomas (mpt)
information type: Public → Public Security
Changed in gnome-screensaver (Ubuntu):
assignee: nobody → Matthew Paul Thomas (mpt)
Matthew Paul Thomas (mpt)
Changed in gnome-screensaver (Ubuntu):
importance: Undecided → Medium
Revision history for this message
David Klasinc (bigwhale) wrote :

This is still an issue. Because of bug #1295267 I can't set the screen to turn off automatically. So I turned off screen blanking and left lock on. I was a little bit surprised that screen lock didn't engage after an idle period.

Also, I am trying to understand why screen blank + lock would work, but only a screen lock wouldn't.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.