Keep the screen locked if autologin or nopasswdlogin is enabled

Bug #1600389 reported by Humphrey van Polanen Petel on 2016-07-08
272
This bug affects 3 people
Affects Status Importance Assigned to Milestone
unity (Ubuntu)
Medium
Andrea Azzarone
Nominated for Xenial by Marco Trevisan (Treviño)
Xenial
Undecided
Unassigned

Bug Description

[Impact]
After <Super>-L the screen is 'locked' and a password is required to resume operating.
However, restarting the computer will present an 'open' system again.
As a consequence, the computer cannot be protected against unauthorized access by this method.

[Test Case]
1. Activate autologin.
2. Lock the screen
3. Reboot the system (you need to select 'Switch Account...' from the session menu first)
4. After reboot make sure the screen is still locked.

[Regression Potential]
None.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: unity 7.2.6+14.04.20151021-0ubuntu1
ProcVersionSignature: Ubuntu 3.16.0-76.98~14.04.1-generic 3.16.7-ckt27
Uname: Linux 3.16.0-76-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.21
Architecture: amd64
CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins'
CurrentDesktop: Unity
Date: Sat Jul 9 08:44:39 2016
InstallationDate: Installed on 2015-09-08 (304 days ago)
InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
SourcePackage: unity
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

Seth Arnold (seth-arnold) wrote :

Could you open the system settings, user panel, and see if the "automatic login" setting is enabled for your user? (It isn't for my user, I must log in every time I reboot my machine.)

Thanks

information type: Private Security → Public Security
Changed in unity (Ubuntu):
status: New → Incomplete
Seth Arnold (seth-arnold) wrote :

I suppose I should add another caution that regardless of the setting of the "automatic login" setting on user accounts, it's possible that anyone that can interact with the computer during early boot can use e.g. "init=/bin/sh" at the kernel command line to boot into an environment without any passwords, which can then be used to change nearly everything on the system.

If you wish to keep your data private, a simple screen lock and login passwords are not sufficient; full disk encryption or per-user encrypted mounts (eCryptfs) are required.

Thanks

My system is set for "automatic login".

I recognize that the system is vulnerable at boot.

However, I submit
that the lock screen insinuates that the system has been secured against unauthorized access and
that the average user has the tendency to trust what the system tell it so that
therefore
the lock screen utility *must* be improved.

I suggest to let the lock screen utility disable automatic login (and set a flag to restore the previous setting).

Andrea Azzarone (azzar1) wrote :

"automatic login" is not enabled by default, marking as opinion.

Changed in unity (Ubuntu):
status: Incomplete → Opinion
importance: Undecided → Wishlist
Andrea Azzarone (azzar1) on 2016-07-12
Changed in unity (Ubuntu):
status: Opinion → In Progress
importance: Wishlist → Low
importance: Low → Medium
tags: added: destkop-trello-import
Changed in unity (Ubuntu):
assignee: nobody → Andrea Azzarone (azzar1)
tags: added: desktop-trello-import
removed: destkop-trello-import
Andrea Azzarone (azzar1) on 2016-07-12
summary: - lock screen is not safe
+ Keep the screen locked if autlogin is enabled
summary: - Keep the screen locked if autlogin is enabled
+ Keep the screen locked if autologin is enabled
Andrea Azzarone (azzar1) on 2016-08-16
summary: - Keep the screen locked if autologin is enabled
+ Keep the screen locked if autologin or nopasswdlogin is enabled
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package unity - 7.5.0+17.04.20170109-0ubuntu1

---------------
unity (7.5.0+17.04.20170109-0ubuntu1) zesty; urgency=medium

  [ Andrea Azzarone ]
  * Round gtk scaling factor to closest integer. (LP: #1649736)
  * Keep the screen locked if rebooting with autologin. (LP: #1600389)

  [ Eleni Maria Stea ]
  * shouldn't create blur rectangles when there's no blur, skips the
    blur rects processing in low gfx.

 -- Marco Trevisan (Treviño) <mail@3v1n0.net> Mon, 09 Jan 2017 15:10:02 +0000

Changed in unity (Ubuntu):
status: In Progress → Fix Released
Andrea Azzarone (azzar1) on 2017-07-17
description: updated

Hello Humphrey, or anyone else affected,

Accepted unity into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unity/7.4.5+16.04.20171116 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in unity (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-needed verification-needed-xenial
Łukasz Zemczak (sil2100) wrote :

Hello Humphrey, or anyone else affected,

Accepted unity into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/unity/7.4.5+16.04.20171201.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Sorry for not responding earlier.

tests run after locking screen
1 - suspend
2 - switch session, shutdown, restart
3 - switch to guest account, shutdown, restart
4 - disconnected power

in all cases the system came up with the screen locked

if these were all options then the patch has solved the problem
if I missed something then please reopen and tell me what to test

tags: added: verification-done-xenial
removed: verification-needed-xenial
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers