inconsistent settings for lock screen between xfce4-session and xfce4-power-manager
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | xfce4-power-manager |
Fix Released
|
Undecided
|
Sean Davis | |
| | xfce4-session |
Fix Released
|
Wishlist
|
||
| | xfce4-power-manager (Ubuntu) |
Undecided
|
Sean Davis | ||
Bug Description
Linux Mint 14, XFCE edition.
The XFCE power manager consistently fails to lock the screen upon suspend when the computer is put to sleep using the log-out dialog or the Action Buttons applet. The "lock screen when going for suspend/hibernate" option is set to true. The screen locks, as expected, when the computer is told to suspend via the right-click menu for the Power Manager applet in the dock.
To reproduce the bug make sure that "lock screen when going for suspend/hibernate" is set in the control panel then go into the Applications Menu and select "Log Out." Then select "Suspend." The screen ought to lock and then the computer ought to go to sleep. Instead, the computer suspends without locking the screen and when the computer resumes it does not require a password.
This is a security vulnerability as it is far too easy to accidently leave the computer unlocked when one would reasonably expect it to lock itself.
Related branches
- Chris J Arges: Needs Fixing on 2014-04-07
- Pasi Lallinaho (community): Approve (community) on 2014-04-06
-
Diff: 2629 lines (+2527/-3)8 files modified.pc/09_sync_session_xfpm_lock_setting.patch/settings/xfpm-settings.c (+1726/-0)
.pc/09_sync_session_xfpm_lock_setting.patch/src/xfpm-xfconf.c (+610/-0)
.pc/applied-patches (+1/-0)
debian/changelog (+6/-0)
debian/patches/09_sync_session_xfpm_lock_setting.patch (+126/-0)
debian/patches/series (+1/-0)
settings/xfpm-settings.c (+7/-1)
src/xfpm-xfconf.c (+50/-2)
|
|
#8 |
Did you try “lock screen before sleep” in the last tab of xfce4-session settings?
|
|
#9 |
Thank you, it did the trick.
Sorry for lamenting.
|
|
#10 |
No problem. I'm retitling and adjusting severity. I think there might already be a bug for the same thing, which I think is planner (or even already fixed) for 4.12
| information type: | Private Security → Public Security |
I've uncovered the problem. There are two options in the XFCE control panel that do the same thing:
* Power Manager -> Extended -> Lock screen when going for suspend/hibernate
* Session and Startup -> Advanced -> Lock screen before sleep
The former seems to only control the behavior of the power manager panel applet (battery charge indicator). The latter seems to only control the behavior of the logout dialog and the action buttons panel applet. These settings ought to be merged because it is unlikely that a user would wish to have different behaviors depending on which applet they use to sleep the computer. Furthermore, enabling an inconsistent security policy is unsafe.
| Launchpad Janitor (janitor) wrote : | #2 |
Status changed to 'Confirmed' because the bug affects multiple users.
| Changed in xfce4-power-manager (Ubuntu): | |
| status: | New → Confirmed |
| affects: | ubuntu → xfce4-power-manager (Ubuntu) |
| Changed in xfce4-power-manager (Ubuntu): | |
| status: | New → Triaged |
|
|
#11 |
As for inconsistency, they use different methods for launching suspend and hibernate: you can notice that, if you have lock-on-sleep unchecked for both, and use gnome-screensaver daemon or light-locker: if you suspend by xfce4-session, it will lock, but not if you suspend by xfce4-power-
| Jarno Suni (jarnos) wrote : | #3 |
There is some advantage in having a separate setting in the power manager: The power manager is used also in e.g. Lubuntu, in which there would be hard to change all Xfce settings. Maybe the both ways could change same variable, though.
| affects: | linuxmint → xfce4-session |
| Changed in xfce4-session: | |
| importance: | Undecided → Unknown |
| status: | New → Unknown |
| summary: |
- XFCE will not lock screen when suspending via log out dialog. + inconsistent settings for lock screen between xfce4-session and xfce4 + -power-manager |
| Launchpad Janitor (janitor) wrote : | #4 |
Status changed to 'Confirmed' because the bug affects multiple users.
| Changed in xfce4-session (Ubuntu): | |
| status: | New → Confirmed |
| Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package xfce4-power-manager - 1.2.0-3ubuntu4
---------------
xfce4-power-manager (1.2.0-3ubuntu4) trusty; urgency=medium
* Add 09_sync_
-- Sean Davis <email address hidden> Mon, 07 Apr 2014 10:09:14 -0500
| Changed in xfce4-power-manager (Ubuntu): | |
| status: | Triaged → Fix Released |
| no longer affects: | xfce4-session (Ubuntu) |
| Changed in xfce4-power-manager: | |
| status: | New → Fix Released |
| Changed in xfce4-power-manager (Ubuntu): | |
| assignee: | nobody → Sean Davis (smd-seandavis) |
| Changed in xfce4-power-manager: | |
| assignee: | nobody → Sean Davis (smd-seandavis) |
This issue is already fixed in xfce4-power-manager
according to https:/
| Changed in xfce4-session: | |
| importance: | Unknown → Wishlist |
| status: | Unknown → Confirmed |
|
|
#13 |
It still does not work in version 4.10.1.
I've tested it with checkbox checked and unchecked in xfce4-session.
|
|
#14 |
What if system does not have xfce4-session installed? Does xfce4-power-manager let you change the setting in its own UI then? (In my Ubuntu Studio 14.04 the option is dimmed and can not be used there; same thing with Hibernate and Suspend.) As for xfce4-session-
|
|
#15 |
(In reply to Netrix from comment #6)
> It still does not work in version 4.10.1.
>
> I've tested it with checkbox checked and unchecked in xfce4-session.
What version of xfce4-power-manager did you use?
|
|
#16 |
This bug has indeed been fixed via xfce4-power-manager >=1.3.0 and the two settings are in sync now.
| Changed in xfce4-session: | |
| status: | Confirmed → Fix Released |
I've marked this bug major, as it causes a user-defined security setting's failure.
I've a full xfce install on Arch Linux, and I've noticed the following:
In xfce4-power-
However, I think the REAL way of quitting your desktop is by design, tradition, logic and whatever, is by the xfce4-session-
Tested: GUI (suspend/hibernate) xfce4-session-
CLI xfce4-session-
Does not work.
So there's an inconsistency between the two utilities, and I thionk, because Xfce is a Desktop Environment, its elements should respect each others settings.
And I think the one that has to be modified is Xfce-session-
package: xfce4-session 4.10.0-3