killing the screensaver gives access

Bug #446218 reported by ReimarBauer
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
gnome-screensaver (Ubuntu)
Confirmed
Wishlist
Unassigned

Bug Description

Binary package hint: gnome-screensaver

if the gnome-screensaver becomes killed the desktop is open for everyone.

I think if one or something kills the screensaver the user should be safely logged out.

ProblemType: Bug
Architecture: amd64
DistroRelease: Ubuntu 9.04
NonfreeKernelModules: nvidia
Package: gnome-screensaver 2.24.0-0ubuntu6
ProcEnviron:
 PATH=(custom, user)
 LANG=de_DE.utf8
 SHELL=/bin/bash
SourcePackage: gnome-screensaver
Uname: Linux 2.6.28-15-generic x86_64

Revision history for this message
ReimarBauer (reimarbauer) wrote :
security vulnerability: yes → no
visibility: private → public
Changed in gnome-screensaver (Ubuntu):
status: New → Confirmed
importance: Undecided → Wishlist
Revision history for this message
TomatoGoatee (tomatogoatee) wrote :

I found out about this just yesterday. If a user is logged in on a different terminal, they can kill a locked gnome-screensaver and have free reign of the desktop.

Granted, leaving oneself logged in on multiple tty's is bad practice in itself, but there should be something that prevents the killing of gnome-screensaver.

That being said, how is a security loophole like this only a 'Wishlist' item?

Revision history for this message
Chris Coulson (chrisccoulson) wrote :

Because it's a non-issue. The screensaver is responsible for locking the screen, and you can kill it just like any other process. However, just like any other process, it can't be killed by any other unprivileged user other than yourself. If the screensaver wasn't responsible for locking the screen, then some other process would be instead.

If you leave yourself logged in to a TTY as well as a graphical X session, then it's just the same as leaving the screen unlocked (whether an opportunist kills the screensaver or not, they can still access all of your files and personal information, and start a graphical session on your behalf)

Revision history for this message
ReimarBauer (reimarbauer) wrote :

i have not the problem with myself killing the process. Sometimes it seems not to work to login again, The password check hangs. Since I know that I can safely stop this program and get my session back I often use it.

But this leeds in a false sensitive for security. I would prefer I become logged out if that program is stopped.

In the case of the TTY user, this one can usually not access all mails or the just encrypted file. While one who could stop the screensaver has immeadiatly access to this data.

The best working screensaver is to log out and to shutdown ;)

cheers
Reimar

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.