Light-locker easy to circumvent when using two separate Desktops
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
light-locker (Ubuntu) |
Expired
|
Undecided
|
Unassigned |
Bug Description
Hi,
I am using multiple monitors and experienced a serious security problem in the new version of Light Locker as of Ubuntu 14.04. I have a setup with two separate screens on one X server - see my attached xorg.conf. Usually, I log in on the first screen to an openbox session and start a second "Lubuntu"-session on the second screen using the following command:
DISPLAY=:0.1 startlubuntu
To lock the screen, I point my mouse to the second screen and press ctrl+alt+l which locks both screens (blanking them) and prompts for the entry of the password on screen0. So far so good and this always worked in the past flawlessly. Now, the problem is that since Ubuntu 14.04 this can be easily circumvented, here are the steps:
- log into openbox session
- start Lubuntu session on another display
- lock the session
- switch to the text console (ctrl+alt+f1)
- switch back to the graphical desktop
Expected behavior:
- screen the unlock dialog appears as usually on screen 0 and screen 1 is locked/black
Actual behavior:
- the session on screen 1 is *widely open* and screen0 has a black screen with the text: "this session is locked. please wait a few seconds for the unlock prompt to appear"
- after a few seconds, the screen1 is blanked and the unlock screen appears
An attacker can easily do whatever he wants on screen1 and has in principle unlimited time for that because after the unlock screen appears he do again the switch to text console and back and again has a few seconds to *resume* his actions on screen 1.
As far as I remember, this behavior was different in Ubuntu 13.10 and prior releases.
Possible workarounds:
- use a different screen locker (e.g. xtrlock, xscreensaver)
- turn this delay in lightlocker off (is this possible?)
- fix this annoying bug, screen1 should always be inaccessible in locked state.
summary: |
- Light-locker easy to circumvent with two separate Desktops + Light-locker easy to circumvent when using two separate Desktops |
Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https:/ /wiki.ubuntu. com/SecurityTea m/UpdateProcedu res