Unity

Bug #1413790
Activity log

Activity log for bug #1413790

Date	Who	What changed	Old value	New value	Message
2015-01-22 23:01:21	Andrea Azzarone	bug			added bug
2015-01-22 23:01:35	Andrea Azzarone	bug task added		unity (Ubuntu)
2015-01-22 23:01:46	Andrea Azzarone	bug task deleted	unity (Ubuntu)
2015-01-22 23:02:00	Andrea Azzarone	bug task added		lightdm (Ubuntu)
2015-01-22 23:03:44	Andrea Azzarone	description	Lightdm should not emit logind "unlock" signal when the user is not prompted for a password. This can lead to a security issue: # Log-in (unity session). # Add the current user to nopasswdlogin group. # Lock the sessions. # Session indicator->Switch account... # "Login" in again. Expected behavior: The lockscreen is still active. Current behavior: The session in unlocked. We could work around the issue directly in unity, but IMHO would be cleaner to avoid that lightdm is emitting the logind signal.	Lightdm should not emit logind "unlock" signal when the user is not prompted for a password. This can lead to a security issue: # Log-in (unity session). # Add the current user to nopasswdlogin group. # Lock the sessions. # Session indicator->Switch account... # "Login" in again. Expected behavior: The lockscreen is still active. Current behavior: The session in unlocked. We could workaround the issue directly in unity, but IMHO would be cleaner to avoid that lightdm is emitting the logind signal.
2015-01-22 23:17:23	Andrea Azzarone	bug task added		gnome-session (Ubuntu)
2015-01-22 23:18:41	Andrea Azzarone	bug task added		unity
2015-01-23 10:14:49	Andrea Azzarone	summary	Lightdm should not emit logind "unlock" signal when the user is in nopasswdlogin group.	It's possible to bypasss lockscreen if user is in nopasswdlogin group.
2015-01-23 10:18:58	Launchpad Janitor	branch linked		lp:~andyrock/unity/lp-1413790
2015-01-23 10:24:10	Andrea Azzarone	bug task added		unity (Ubuntu)
2015-01-23 10:24:17	Andrea Azzarone	bug task deleted	gnome-session (Ubuntu)
2015-01-23 10:24:23	Andrea Azzarone	unity: milestone		7.3.1
2015-01-23 10:24:27	Andrea Azzarone	unity: assignee		Andrea Azzarone (andyrock)
2015-01-23 10:24:30	Andrea Azzarone	unity (Ubuntu): assignee		Andrea Azzarone (andyrock)
2015-01-23 10:24:35	Andrea Azzarone	unity: status	New	In Progress
2015-01-23 10:24:38	Andrea Azzarone	unity (Ubuntu): status	New	In Progress
2015-01-23 12:48:41	Marc Deslauriers	information type	Private Security	Public
2015-01-23 15:56:23	Andrea Azzarone	lightdm (Ubuntu): status	New	Invalid
2015-01-23 15:56:31	Andrea Azzarone	lightdm: status	New	Invalid
2015-01-27 02:31:54	Robert Ancell	bug task deleted	lightdm (Ubuntu)
2015-01-27 02:32:01	Robert Ancell	bug task deleted	lightdm
2015-01-28 19:51:55	Launchpad Janitor	unity (Ubuntu): status	In Progress	Fix Released
2015-01-28 23:26:52	Andrea Azzarone	unity: status	In Progress	Fix Committed
2015-02-11 16:17:00	Stephen M. Webb	unity: status	Fix Committed	Fix Released
2015-03-11 19:14:26	Stephen M. Webb	nominated for series		unity/7.2
2015-03-11 19:14:26	Stephen M. Webb	bug task added		unity/7.2
2015-03-11 19:14:37	Stephen M. Webb	unity/7.2: milestone		7.2.5
2015-03-11 19:19:00	Stephen M. Webb	unity/7.2: status	New	In Progress
2015-03-11 19:19:03	Stephen M. Webb	unity/7.2: importance	Undecided	Medium
2015-03-11 19:19:05	Stephen M. Webb	unity: importance	Undecided	Medium
2015-03-11 19:19:07	Stephen M. Webb	unity/7.2: assignee		Stephen M. Webb (bregma)
2015-03-11 19:19:09	Stephen M. Webb	unity (Ubuntu): importance	Undecided	Medium
2015-03-11 19:19:34	Stephen M. Webb	nominated for series		Ubuntu Trusty
2015-03-11 19:21:22	Launchpad Janitor	branch linked		lp:~bregma/unity/lp-1413790-trusty
2015-03-18 02:14:21	Stephen M. Webb	unity (Ubuntu Trusty): status	New	In Progress
2015-03-18 02:14:29	Stephen M. Webb	unity (Ubuntu Trusty): importance	Undecided	Medium
2015-03-18 02:14:32	Stephen M. Webb	unity (Ubuntu Trusty): assignee		Stephen M. Webb (bregma)
2015-03-18 02:19:14	Stephen M. Webb	description	Lightdm should not emit logind "unlock" signal when the user is not prompted for a password. This can lead to a security issue: # Log-in (unity session). # Add the current user to nopasswdlogin group. # Lock the sessions. # Session indicator->Switch account... # "Login" in again. Expected behavior: The lockscreen is still active. Current behavior: The session in unlocked. We could workaround the issue directly in unity, but IMHO would be cleaner to avoid that lightdm is emitting the logind signal.	[IMPACT] A user is presented with a password dialog even if a member of the nopasswdlogin group (and may not have a password). [TEST CASE] (1) Create a test user. (2) Add the test user to the nopasswdlogin group. (3) Log in to a Unity session using that acocunt. (4) Lock the screen. (5) Attempt to unlock the screen: no password prompt should be presented. [REGRESSION POTENTIAL] Conceivably allowing a login with no authentication could present unexpected vulnerabilities in which unforseen code paths also exercise this function. Care has been taken by the developer to avoid such cases. [OTHER INFO] The fix for Ubuntu 14.04 LTS was cherry picked from the Ubuntu "Vivid Vervet" dev release where it has been in production use for some time without apparent regression.
2015-03-18 19:50:29	Stefano Bagnatica	bug			added subscriber Stefano Bagnatica
2015-04-08 08:39:03	Adam Conrad	unity (Ubuntu Trusty): status	In Progress	Fix Committed
2015-04-08 08:39:05	Adam Conrad	bug			added subscriber Ubuntu Stable Release Updates Team
2015-04-08 08:39:10	Adam Conrad	bug			added subscriber SRU Verification
2015-04-08 08:39:14	Adam Conrad	tags		verification-needed
2015-04-11 14:28:44	Mateusz Stachowski	tags	verification-needed	verification-done
2015-04-15 20:04:42	Launchpad Janitor	unity (Ubuntu Trusty): status	Fix Committed	Fix Released
2015-04-15 20:06:27	Chris J Arges	removed subscriber Ubuntu Stable Release Updates Team
2015-04-16 16:23:33	Christopher Townsend	unity/7.2: milestone	7.2.5	7.2.6