Comment 0 for bug 1460626

Revision history for this message
Margarita Manterola (marga-9) wrote :

This was reported and supposedly fixed in https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1370017, but the bug is still present in the current Unity version in Trusty. I've reported it in that bug already, but got ignored, so I'm opening a new bug about it.

[Impact and Test Case]

Steps to reproduce:
1 - Log into Unity
2 - Open a terminal.
3 - Lock the screen
4 - From the lockscreen, tell the computer to shut down / restart

Expected behavior:
* Session programs are closed while the screen is still locked
* During shutdown, no user interaction is possible

Observed behavior:
* The lockscreen is gone immediately, with the rest of compiz (e.g. window decorations are not present)
* But it's possible to interact with programs that are still running in the session for about 3 seconds

Observed on an updated Trusty machine, running unity version 7.2.5+14.04.20150521.1-0ubuntu1

This bug is a security vulnerability because during those 3 seconds it could be possible to access and interact with sensitive information. Yes, it's short, but you could take a picture or even rm -rf / if there happened to be a root console available.