Unity Lockscreen still shows unlocked desktop while shutting down
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| indicator-session (Ubuntu) |
High
|
Andrea Azzarone | ||
| Trusty |
High
|
Andrea Azzarone | ||
| unity (Ubuntu) |
High
|
Andrea Azzarone | ||
| Trusty |
High
|
Andrea Azzarone |
Bug Description
This was reported and supposedly fixed in https:/
[Impact and Test Case]
Steps to reproduce:
1 - Log into Unity
2 - Open a terminal.
3 - Lock the screen
4 - From the lockscreen, tell the computer to shut down / restart
Expected behavior:
* Session programs are closed while the screen is still locked
* During shutdown, no user interaction is possible
Observed behavior:
* The lockscreen is gone immediately, with the rest of compiz (e.g. window decorations are not present)
* But it's possible to interact with programs that are still running in the session for about 3 seconds
Observed on an updated Trusty machine, running unity version 7.2.5+14.
This bug is a security vulnerability because during those 3 seconds it could be possible to access and interact with sensitive information. Yes, it's short, but you could take a picture or even rm -rf / if there happened to be a root console available.
=====
[Impact]
A lockscreen should hide the screen content no matter what. A the moment there is no easy way to provide a good shutdown experience if the screen is locked so it's better to disable it. Please note that you can still shut down the system if the screen is locked just switching to unity-greeter using "Swtich Account..." (it's safe in this case)
Needs to be backported to 14.04 LTS because can affect security.
[Test Case]
1 - Lock the screen
2 - Push the hw shutdown button.
3 - Make sure that there is no shutdown option in the end of session dialog.
1 - Lock the screen
2 - Open the session indicator
3 - Make sure there is no shutdown option in the drop down menu
[Regression Potential]
None.
Related branches
- Marco Trevisan (Treviño): Approve on 2015-10-16
-
Diff: 113 lines (+40/-15)2 files modifieddebian/changelog (+14/-0)
src/service.c (+26/-15)
- Marco Trevisan (Treviño): Approve on 2015-08-17
- PS Jenkins bot (community): Approve (continuous-integration) on 2015-06-04
-
Diff: 62 lines (+11/-9)1 file modifiedsrc/service.c (+11/-9)
- Marco Trevisan (Treviño): Approve on 2015-08-17
- PS Jenkins bot (community): Needs Fixing (continuous-integration) on 2015-06-19
-
Diff: 12 lines (+1/-1)1 file modifiedUnityCore/GnomeSessionManager.cpp (+1/-1)
- Andrea Azzarone (community): Approve on 2015-10-15
-
Diff: 1554 lines (+547/-141)43 files modifiedCMakeLists.txt (+1/-1)
ChangeLog (+182/-0)
UnityCore/GLibDBusProxy.cpp (+16/-3)
UnityCore/GnomeSessionManager.cpp (+6/-1)
dash/DashController.cpp (+2/-0)
dash/DashController.h (+0/-1)
dash/DashView.cpp (+72/-32)
dash/DashView.h (+3/-3)
dash/PlacesGroup.cpp (+13/-2)
dash/PlacesGroup.h (+1/-0)
dash/ResultView.cpp (+25/-0)
dash/ResultView.h (+6/-4)
dash/ResultViewGrid.cpp (+29/-13)
dash/ScopeView.cpp (+20/-22)
dash/ScopeView.h (+2/-0)
debian/changelog (+51/-0)
decorations/DecoratedWindow.cpp (+5/-0)
decorations/DecoratedWindow.h (+1/-0)
decorations/DecorationsManager.cpp (+5/-1)
hud/HudButton.cpp (+0/-5)
hud/HudController.cpp (+2/-0)
hud/HudController.h (+0/-1)
launcher/DeviceNotificationDisplayImp.cpp (+0/-1)
launcher/LauncherController.cpp (+2/-2)
launcher/LauncherIcon.cpp (+9/-4)
panel/PanelView.cpp (+18/-0)
panel/PanelView.h (+1/-0)
plugins/unityshell/src/unityshell.cpp (+16/-2)
plugins/unityshell/unityshell.xml.in (+6/-0)
unity-shared/BGHash.cpp (+5/-2)
unity-shared/CompizUtils.cpp (+0/-3)
unity-shared/OverlayRenderer.cpp (+2/-0)
unity-shared/OverlayScrollView.cpp (+5/-1)
unity-shared/OverlayScrollView.h (+2/-0)
unity-shared/OverlayWindowButtons.cpp (+3/-3)
unity-shared/PlacesOverlayVScrollBar.cpp (+5/-0)
unity-shared/PlacesOverlayVScrollBar.h (+8/-6)
unity-shared/PluginAdapter.cpp (+5/-1)
unity-shared/SearchBar.cpp (+9/-23)
unity-shared/SearchBar.h (+1/-3)
unity-shared/UnitySettings.cpp (+6/-1)
unity-shared/UnitySettings.h (+1/-0)
unity-shared/WindowButtons.cpp (+1/-0)
Margarita Manterola (marga-9) wrote : | #1 |
Changed in unity: | |
assignee: | nobody → Andrea Azzarone (azzar1) |
Changed in unity (Ubuntu): | |
assignee: | nobody → Andrea Azzarone (azzar1) |
Changed in unity: | |
importance: | Undecided → High |
Changed in indicator-session (Ubuntu): | |
assignee: | nobody → Andrea Azzarone (azzar1) |
importance: | Undecided → High |
Changed in unity (Ubuntu): | |
importance: | Undecided → High |
Changed in unity: | |
status: | New → In Progress |
Changed in indicator-session (Ubuntu): | |
status: | New → In Progress |
Changed in unity (Ubuntu): | |
status: | New → In Progress |
Margarita Manterola (marga-9) wrote : | #2 |
Any news here?
Marco Trevisan (Treviño) (3v1n0) wrote : | #3 |
Unfortunately we've some backlog to land, but we're looking into getting this to trunk ASAP and backport to trusty
Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package unity - 7.3.2+15.
---------------
unity (7.3.2+
[ Andrea Azzarone <email address hidden> ]
* Add unit tests for unity::
* Add/Update tests for gnome session manager.
* Do not allow shutdown when screen is locked. (LP: #1460626)
* Make sure we update the maximized window when "show
desktop"
* Merge patch from https:/
fix.patch (LP: #1491555)
* Merge patch from https:/
override.patch (LP: #1491913)
[ Andrea Azzarone <email address hidden> ]
* Properly hide decorations when on "Show Desktop" mode. (LP:
#1485073)
[ Marco Trevisan (Treviño) ]
* UnityScreen: force shell to be on top when there's a window
fullscreen and we've a menu open. (LP: #591189)
-- Marco Trevisan (Treviño) <mail@3v1n0.net> Thu, 10 Sep 2015 15:37:46 +0000
Changed in unity (Ubuntu): | |
status: | In Progress → Fix Released |
Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package indicator-session - 12.10.5+
---------------
indicator-session (12.10.
[ Andrea Azzarone <email address hidden> ]
* Disable shutdown/reboot in the lockscreen. (LP: #1460626)
[ Sebastien Bacher ]
* under unity8 start system-settings instead unity-control-
#1489480)
-- Sebastien Bacher <email address hidden> Tue, 15 Sep 2015 07:47:28 +0000
Changed in indicator-session (Ubuntu): | |
status: | In Progress → Fix Released |
description: | updated |
description: | updated |
Changed in unity: | |
status: | In Progress → Fix Committed |
Changed in unity: | |
milestone: | none → 7.3.3 |
status: | Fix Committed → Fix Released |
Changed in indicator-session (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in unity (Ubuntu Trusty): | |
status: | New → In Progress |
Changed in indicator-session (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in unity (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in indicator-session (Ubuntu Trusty): | |
assignee: | nobody → Andrea Azzarone (azzar1) |
Changed in unity (Ubuntu Trusty): | |
assignee: | nobody → Andrea Azzarone (azzar1) |
Hello Margarita, or anyone else affected,
Accepted indicator-session into trusty-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
Changed in indicator-session (Ubuntu Trusty): | |
status: | In Progress → Fix Committed |
tags: | added: verification-needed |
Changed in unity (Ubuntu Trusty): | |
status: | In Progress → Fix Committed |
Chris J Arges (arges) wrote : | #7 |
Hello Margarita, or anyone else affected,
Accepted unity into trusty-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
information type: | Public → Public Security |
Rohan "HEXcube" Villoth (hexcube) wrote : | #8 |
Installed all 3 patched 𝐔𝐧𝐢𝐭𝐲 𝟕 version 7.2.6+14.
unity
unity-services
libunity-core-6.0-9
and indicator-session version 12.10.5+
tags: |
added: verification-done removed: verification-needed |
Launchpad Janitor (janitor) wrote : | #9 |
This bug was fixed in the package indicator-session - 12.10.5+
---------------
indicator-session (12.10.
[ CI Train Bot ]
* No-change rebuild.
indicator-session (12.10.
* Disable shutdown if screen is locked (lp: #1460626)
-- Marco Trevisan (Treviño) <mail@3v1n0.net> Wed, 21 Oct 2015 15:53:04 +0000
Changed in indicator-session (Ubuntu Trusty): | |
status: | Fix Committed → Fix Released |
Chris J Arges (arges) wrote : Update Released | #10 |
The verification of the Stable Release Update for indicator-session has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Launchpad Janitor (janitor) wrote : | #11 |
This bug was fixed in the package unity - 7.2.6+14.
---------------
unity (7.2.6+
* New upstream release
[ Andrea Azzarone ]
* Merge patch from https:/
override.patch (LP: #1491913)
* Properly hide decorations when on "Show Desktop" mode. (LP: #1485073)
* Do not handle events coming from viewports not actually containing the window.
(LP: #1449654)
* Make sure new icons are added to the model before calling SortAndUpdate
(LP: #1458950)
* GnomeSessionMan
* GnomeSessionMan
[ Chris Townsend ]
* When looking for the top-most valid window in a VP, also check if the window
is focused if the window is set to Always on Top. This allows Launcher icon
spread to work properly when a window is minimized an Always on Top exists in
the group. (LP: #1131385)
* Wait on Spread to be terminated before showing the Quicklist. (LP: #1441626)
* If dragging an application:// uri type from the Dash to the desktop, change it
to a file:// uri type so Nautilus can understand the type a make a copy of it
on the desktop. (LP: #1241972)
* Enable real page up/page down key navigation in the Dash. When using these
keys the view scrolls the length of the visible view. (LP: #913612)
* Save the active window when showing the Hud so the correct window is focused
when hiding the Hud. Fixes issue when "Always on Top" windows are present.
(LP: #1366583)
* Save the active window when showing the Dash so the correct window is focused
when hiding the Dash. Fixes issue when "Always on Top" windows are present.
(LP: #1446634)
* When using keyboard navigation in the Dash, skip category headers that are not
expandable. Also, do not highlight the category header when the mouse cursor
is over it. (LP: #1045933)
* Also use the Compiz show() method when forcing an unmapped window to be
visible when clicking on it's active Launcher icon. (LP: #989588)
* Add option to enable and disable Unity low graphics mode on the fly in ccsm or
via gsettings. (LP: #1412937)
* UScreen, PanelService: get monitor at position, ignoring pre-
multipled Gdk scale factor (LP: #1351591)
[ Marco Trevisan (Treviño) ]
* ResultViewGrid: wait for double-click event only if the relative result needs
the Preview (LP: #1291950)
* OverlayWindowBu
(LP: #1461618)
* GnomeSessionMan
#1405349)
* UScreen, PanelService: get monitor at position, ignoring pre-multipled Gdk
scale factor (LP: #1351591)
* UScreen, PanelService: get monitor at position, ignoring pre-
multipled Gdk scale factor (LP: #1351591)
-- Marco Trevisan (Treviño) <mail@3v1n0.net> Wed, 21 Oct 2015 15:54:44 +0000
Changed in unity (Ubuntu Trusty): | |
status: | Fix Committed → Fix Released |
Rohan "HEXcube" Villoth (hexcube) wrote : | #12 |
Marking the bug as "Fix Released" for Unity 7.2, coz Unity 7.2.6 update got released for Ubuntu 14.04LTS
no longer affects: | unity |
no longer affects: | unity/7.2 |
Andrea, this bug is just a new filing for https:/ /bugs.launchpad .net/ubuntu/ +source/ unity/+ bug/1370017 which is still not fixed in Trusty. The verification instructions in that bug were wrong, and thus it's marked as "Fix Released" when it's actually not fixed at all.
If it has actually been fixed in vivid, maybe the backported patch missed something?