inconsistent settings for lock screen between xfce4-session and xfce4-power-manager

Reported by Samantha Davis on 2013-01-20
284
This bug affects 6 people
Affects Status Importance Assigned to Milestone
xfce4-power-manager
Fix Released
Undecided
Sean Davis
xfce4-session
Unknown
Unknown
xfce4-power-manager (Ubuntu)
Undecided
Sean Davis

Bug Description

Linux Mint 14, XFCE edition.

The XFCE power manager consistently fails to lock the screen upon suspend when the computer is put to sleep using the log-out dialog or the Action Buttons applet. The "lock screen when going for suspend/hibernate" option is set to true. The screen locks, as expected, when the computer is told to suspend via the right-click menu for the Power Manager applet in the dock.

To reproduce the bug make sure that "lock screen when going for suspend/hibernate" is set in the control panel then go into the Applications Menu and select "Log Out." Then select "Suspend." The screen ought to lock and then the computer ought to go to sleep. Instead, the computer suspends without locking the screen and when the computer resumes it does not require a password.

This is a security vulnerability as it is far too easy to accidently leave the computer unlocked when one would reasonably expect it to lock itself.

information type: Private Security → Public Security

I've uncovered the problem. There are two options in the XFCE control panel that do the same thing:

* Power Manager -> Extended -> Lock screen when going for suspend/hibernate
* Session and Startup -> Advanced -> Lock screen before sleep

The former seems to only control the behavior of the power manager panel applet (battery charge indicator). The latter seems to only control the behavior of the logout dialog and the action buttons panel applet. These settings ought to be merged because it is unlikely that a user would wish to have different behaviors depending on which applet they use to sleep the computer. Furthermore, enabling an inconsistent security policy is unsafe.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

affects: ubuntu → xfce4-power-manager (Ubuntu)
Changed in xfce4-power-manager (Ubuntu):
status: New → Triaged
Changed in xfce4-power-manager (Ubuntu):
status: New → Confirmed
Jarno Suni (jarnos) wrote :

There is some advantage in having a separate setting in the power manager: The power manager is used also in e.g. Lubuntu, in which there would be hard to change all Xfce settings. Maybe the both ways could change same variable, though.

affects: linuxmint → xfce4-session
Changed in xfce4-session:
importance: Undecided → Unknown
status: New → Unknown
summary: - XFCE will not lock screen when suspending via log out dialog.
+ inconsistent settings for lock screen between xfce4-session and xfce4
+ -power-manager
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in xfce4-session (Ubuntu):
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package xfce4-power-manager - 1.2.0-3ubuntu4

---------------
xfce4-power-manager (1.2.0-3ubuntu4) trusty; urgency=medium

  * Add 09_sync_session_xfpm_lock_setting.patch (LP: #1101982)
 -- Sean Davis <email address hidden> Mon, 07 Apr 2014 10:09:14 -0500

Changed in xfce4-power-manager (Ubuntu):
status: Triaged → Fix Released
no longer affects: xfce4-session (Ubuntu)
Pasi Lallinaho (knome) on 2014-04-14
Changed in xfce4-power-manager (Ubuntu):
assignee: nobody → Sean Davis (smd-seandavis)
Changed in xfce4-power-manager:
assignee: nobody → Sean Davis (smd-seandavis)
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Related blueprints

Remote bug watches

Bug watches keep track of this bug in other bug trackers.