Switchuser from user in Unity back to other logged in user in XFCE opens XFCE-user session with no password needed

Bug #1073770 reported by James Grabbs on 2012-11-01
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
xscreensaver (Ubuntu)
Undecided
Unassigned

Bug Description

Ubuntu 12.04.1 64 bit: I have found what appears that it could be a serious security issue in a multi-user situation (e.g. a computer lab, etc). If user1 is using XFCE and the switchuser applet is used to switch to user2 in Unity then if user2 picks to switchuser from Unity back to user1 it opens the previous XFCE session for user1 without any password needed. Hopefully this description makes sense. I have checked and this is reproduced each time. Here is a simple summary when using the switchuser functions:
user1-XFCE to user2-Unity = user2-password required, user2-Unity back to user1-XFCE = NO password required (SECURITY RISK, user1 account could be compromised)

information type: Private Security → Public
affects: ubuntu → xscreensaver (Ubuntu)
James Grabbs (jgrabbs) on 2012-11-10
summary: - Switchuser from user1 in Unity back to other user2 in XFCE opens user2
- session with no password needed
+ Switchuser from user in Unity back to other logged in user in XFCE opens
+ XFCE-user session with no password needed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers