users-admin should not allow creation of users with encrypted home who aren't asked for password on login

Bug #888355 reported by Aryeh Gregor on 2011-11-10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gnome-system-tools (Ubuntu)

Bug Description

Tested in Ubuntu 11.04 and 11.10. Steps to reproduce:

1) Go to "Users and Groups" (users-admin)

2) Click "Add"

3) Pick any name

4) Check "Encrypt home folder to protect sensitive data"

5) Click "OK"

6) Set any password

7) Check "Don't ask for password on login"

8) Click OK

Expected result: An error is raised at some point, because the user will not be able to log in.

Actual result: User is created normally. On login, the user is not prompted for their password, so the login fails. In Ubuntu 11.04, some cryptic error messages display and the GUI hangs; in Ubuntu 11.10, you're returned to the login screen. Since the user is not prompted for their password, the home directory cannot be decrypted, so login will fail. The two options are contradictory, and it should be impossible to select both.

It might also be worthwhile if the program responsible for login (gdm?) detected this conflict and prompted the user for their password, ignoring the preference not to be prompted. However, the preferences are still logically contradictory, so the administrator should not be allowed to select both when creating a user.

Bug #581303 and Bug #577563 are related, but were filed against gdm and eCryptfs. The problem should still be fixed in users-admin regardless of whether there's a workaround in gdm.

Milan Bouchet-Valat (nalimilan) wrote :

Indeed. But users-admin is no longer developed, since it's been replaced with the new GNOME control center applet upstream. (The new applet doesn't allow setting a password-less account.)

I don't think the workaround should be added in GDM, though, because I don't think it would be easy due to how PAM works. So I'm marking this bug as duplicate of the other, and moving the other to gnome-system-tools.

Changed in gnome-system-tools (Ubuntu):
importance: Undecided → Medium
status: New → Triaged

In 11.10, hitting the super/meta/whatever key and typing "Users" gets me "Users and Groups" (= users-admin) and also "User Accounts" (= gnome-control-center?). "User Accounts" is the one that shows up in "System Settings..." from the button in the upper right. If we're not supposed to use users-admin anymore, shouldn't it be removed? I upgraded from 11.04, if that helps. Should I file a separate bug? If it's no longer maintained, surely it should be uninstalled when the user upgrades.

I can confirm that the new applet doesn't allow the same issue to arise, because it just doesn't allow you to do either of the two conflicting things. This seems like a, well, not really optimal solution to the problem, but I can't argue it's not a solution.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers