[SecurityRoadmap] Desktop visible when screen is locked in Kubuntu

Bug #474654 reported by goto on 2009-11-04
300
This bug affects 9 people
Affects Status Importance Assigned to Milestone
KDE Base
Fix Released
Medium
kdebase-workspace (Ubuntu)
Undecided
Unassigned

Bug Description

Sometimes when the screen is locked and I press a key to unlock it, I see my entire desktop and open windows under the password dialog box. That's a security problem.

I believe this is a compositing / video memory issue, because of the following factors:

1.) It is intermittent, but occurs most when the screen is "busy" (lots of graphics-heavy windows open).

2.) I can almost always reproduce it by doing something video-intensive, such as x11perf.

3.) Sometimes everything will be visible except that one or two windows, or the "active" portions thereof, will be blacked out.

4.) I have seen other compositing / video memory glitches, such as the contents of a previously closed window appearing briefly in a newly opened window before it completes drawing (another security issue in its own right).

5.) The desktop is shown as it appeared when the screen was locked, and does not update while locked.

6.) I am unable to reproduce the issue with compositing ("desktop effects") disabled.

Note that the desktop is not dimmed; it is visible for as long as you want to stare at it, even after the password prompt has disappeared; and I am using dualhead and both screens are visible, so this is not a duplicate of #390989 or #385102 or #417722, though it is probably related. I have attached two screenshots (acquired via VNC) demonstrating the problem.

I'm running Kubuntu 9.04 x86-64 with all updates, using the NVidia 180.44 binary driver with TwinView on a GeForce 8400 GS.

goto (gotolaunchpad) wrote :
visibility: private → public
goto (gotolaunchpad) wrote :
description: updated
Changed in ubuntu:
status: New → Confirmed
KIAaze (zohn-joidberg) wrote :

I've been having the same problem ever since I switched to Kubuntu too.
My temporary solution is to add a desktop effect toggle plasmoid:
http://www.kde-look.org/content/download.php?content=78299&id=1&tan=69111769&PHPSESSID=cae
http://ubuntuforums.org/showthread.php?t=1300619

But I still just keep desktop effects deactivated most of the time. :(

KIAaze (zohn-joidberg) wrote :

Also, here's a simple script to toggle compositing: toggleCompositing.sh
=============
#!/bin/bash
RESULT=`qdbus org.kde.kwin /KWin org.kde.KWin.compositingActive`

if [ "$RESULT" = "true" ]
then
  # turn off
  kwriteconfig --file kwinrc --group Compositing --key Enabled false
else
  # turn on
  kwriteconfig --file kwinrc --group Compositing --key Enabled true
fi

# Then restart kwin (in Alt+F2) with:
kwin --replace &
===============

Now, if somebody could tell me how to integrate that into the lock screen mechanism (turn off on lock, turn on on unlock), I'd be very happy. :D

KIAaze (zohn-joidberg) wrote :

Interesting:

When I run this from a terminal, the screen gets locked and seems to remain black even after moving the mouse and waiting again for the dialog to go away:
qdbus org.freedesktop.ScreenSaver /ScreenSaver Lock

But when I create a launcher for this command, it does the same as the standard lock button: i.e. The desktop becomes visible once the password dialog goes away.

KIAaze (zohn-joidberg) wrote :

Just wanted to add: The problem does not appear when using an animated screensaver instead of blank screen.
So it may just be the "blank screen" screensaver which needs to be fixed/adapted.

Etienne Perot (etienneperot) wrote :

I'm not sure if this is related, but I also gets this kind of bug... For instance when someone talks to me on Pidgin, it marks the window as "requires attention" and it blinks in the panel. If this happens while the screensaver is running (Blank screen screensaver ro not), the panel goes "in front of" the screensaver window and becomes visible.

KIAaze (zohn-joidberg) wrote :

Ok, here's a bug workaround:
1) sudo mv /usr/lib/kde4/libexec/kscreenlocker /usr/lib/kde4/libexec/kscreenlocker.bin
2) Create a script named /usr/lib/kde4/libexec/kscreenlocker containing the following:
==============
#!/bin/sh

#store compositing setting
COMPOSITING=`qdbus org.kde.kwin /KWin org.kde.KWin.compositingActive`

# Do stuff before locking...
kwriteconfig --file kwinrc --group Compositing --key Enabled false
kwin --replace &

/usr/lib/kde4/libexec/kscreenlocker.bin $@

# Do stuff after unlocking...
if [ "$COMPOSITING" = "true" ]
then
  # turn on
  kwriteconfig --file kwinrc --group Compositing --key Enabled true
else
  # turn off
  kwriteconfig --file kwinrc --group Compositing --key Enabled false
fi

# Then restart kwin (in Alt+F2) with:
kwin --replace &
==============

For more info:
http://forum.kde.org/viewtopic.php?f=64&t=61217

Thanks again WindPower. ;)

KIAaze (zohn-joidberg) wrote :

Improved version of the workaround script (if compositing is off, it does nothing):
/usr/lib/kde4/libexec/kscreenlocker:
============
#!/bin/sh

#store compositing setting
COMPOSITING=`qdbus org.kde.kwin /KWin org.kde.KWin.compositingActive`

# Do stuff before locking...
if [ "$COMPOSITING" = "true" ]
then
 kwriteconfig --file kwinrc --group Compositing --key Enabled false
 kwin --replace &
fi

# lock screen
/usr/lib/kde4/libexec/kscreenlocker.bin $@

# Do stuff after unlocking...
if [ "$COMPOSITING" = "true" ]
then
  # turn on
  kwriteconfig --file kwinrc --group Compositing --key Enabled true
  # Then restart kwin (in Alt+F2) with:
  kwin --replace &
fi
============

Bernhard Bock (bernhard-bock) wrote :

This problem still occurs on my notebook on the latest Lucid alpha release (updated 04. March 2010) with nvidia-current (195.36.03) on x86-64.

Version: 0.2 (using KDE 4.4.2)
OS: Linux

This is a security setting. The expected behavior is that an unauthorized person will not be able to view the desktop if the password isn't entered. With the current behavior, the desktop is revealed; interaction is prevented, but private information open is revealed.

Reproducible: Always

Steps to Reproduce:
Go to system settings>Desktop>Screen Saver. Activate the screensaver. Check the box "Require password to stop". Activate screen saver. move mouse or tap keyboard to stop screensaver. Desktop is revealed, and password entry box becomes modal over the system.

This happens with blank screen screensaver. Others not tested.

Actual Results:
The behavior revealing the screen, even before the password is entered, makes this of limited security value.

Expected Results:
That some other visual obscures the screen. For example, Gnome continues to show only a blank screen and the password entry dialog. Windows shows some variation of the login screen.

OS: Linux (x86_64) release 2.6.32-24-generic
Compiler: cc

I think this is a security bug.

Can someone test using updated Lucid or Maverick? Thanks!

affects: ubuntu → kdebase-workspace (Ubuntu)
Changed in kdebase-workspace (Ubuntu):
status: Confirmed → Incomplete
Philip Muškovac (yofel) wrote :

Still happens on maverick for me. There was some talk about this on the kde-devel ML too a while ago http://lists.kde.org/?l=kde-devel&m=127832203218499&w=2

Changed in kdebase-workspace (Ubuntu):
status: Incomplete → Confirmed
Changed in kdebase:
status: Unknown → New

i think bug 183496 comment 8 describes the same problem. like bug 183496 itself, it is possibly also related to compositing (please try disabling it and report back), but is a different issue as such (x server/driver bugs have been suggested - what graphics card + driver are you using?).

*** Bug 249417 has been marked as a duplicate of this bug. ***

I upgraded to Kubuntu 10.10 and no longer see this behavior.

Changed in kdebase:
status: New → Unknown
Changed in kdebase:
importance: Unknown → Medium
Changed in kdebase:
status: Unknown → Invalid
Maarten Bezemer (veger) wrote :

Changed to KDE 246623 (because KDE 249417 was marked as a duplicate)

Changed in kdebase:
importance: Medium → Unknown
status: Invalid → Unknown
Changed in kdebase:
importance: Unknown → Medium
status: Unknown → New

I can confirm this behavior.
I happens frequently (not always), I do not know what triggers this behavior...

When I leave my office at work I just the lid of my laptop in order to lock the session, Sometimes when I come back I can see my entire desktop before logging into the locked session.

Running Kubuntu 10.10 / KDE 5.4.1
Using an ATI video card with fglrx package version 2:8.780

summary: - Desktop visible when screen is locked in Kubuntu
+ [SecurityRoadmap] Desktop visible when screen is locked in Kubuntu

*** Bug 270957 has been marked as a duplicate of this bug. ***

Harald Sitter (apachelogger) wrote :

Hi there!

Thanks for reporting this bug! Your bug seems to be a problem with the KDE program itself, and not with our KDE packages. While we appreciate your issue, it would be better if it was tracked at https://bugs.kde.org, so that the KDE developers can deal with this speedily and have direct communication with you as the reporter for more effective debugging.

Thanks!

Changed in kdebase-workspace (Ubuntu):
status: Confirmed → Invalid

There seems to be a regression with Kubuntu 11.10/KDE 4.7

Apart from this, occasionally the password box remains visible after unlocking on 4.9.2. One way to make it disappear is to disable compositing.

it still occurs here (KDE 4.9.3) that from time to time the desktop becomes visible when the computer resumes from suspend or screensaver and asks for the password.
(quite like bug 183496: https://bugs.kde.org/show_bug.cgi?id=183496, but that one is only about showing the desktop for a fracture of a second)
condition: desktop effects activated

I can confirm both oddities mentioned here:
* screen visible upon unlock
* password box remains on screen after unlock

Both issues go away when disabling compositing.

This is

[ 187.843] (II) AMD Proprietary Linux Driver Version Identifier:9.00.2
[ 187.843] (II) AMD Proprietary Linux Driver Release Identifier: 9.002
[ 187.844] (II) AMD Proprietary Linux Driver Build Date: Sep 28 2012 15:32:36
...
[ 189.301] (--) fglrx(0): Chipset: "AMD Radeon HD 6310 Graphics" (Chipset = 0x9802)
[ 189.301] (--) fglrx(0): (PciSubVendor = 0x17aa, PciSubDevice = 0x21df)

a AMD E-350 APU (Brazos).

KDE is at 4.9.5, a Kubuntu 12.04.1 LTS system, Kwin is also at 4.9.5.

for me this is fixed with 4.10, there has been a new implementation of the lock screen. no disclosure of desktop anymore. thanks, KDE guys.

The new screen locker should indeed resolve this; if you still see a problem in 4.10, please file a new bug.

Changed in kde-baseapps:
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.