Switchuser from user in Unity back to other logged in user in XFCE opens XFCE-user session with no password needed
Bug #1073770 reported by
James Grabbs
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
xscreensaver (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Ubuntu 12.04.1 64 bit: I have found what appears that it could be a serious security issue in a multi-user situation (e.g. a computer lab, etc). If user1 is using XFCE and the switchuser applet is used to switch to user2 in Unity then if user2 picks to switchuser from Unity back to user1 it opens the previous XFCE session for user1 without any password needed. Hopefully this description makes sense. I have checked and this is reproduced each time. Here is a simple summary when using the switchuser functions:
user1-XFCE to user2-Unity = user2-password required, user2-Unity back to user1-XFCE = NO password required (SECURITY RISK, user1 account could be compromised)
information type: | Private Security → Public |
affects: | ubuntu → xscreensaver (Ubuntu) |
summary: |
- Switchuser from user1 in Unity back to other user2 in XFCE opens user2 - session with no password needed + Switchuser from user in Unity back to other logged in user in XFCE opens + XFCE-user session with no password needed |
To post a comment you must log in.