** Summary changed: - Switchuser from user1 in Unity back to other user2 in XFCE opens user2 session with no password needed + Switchuser from user in Unity back to other logged in user in XFCE opens XFCE-user session with no password needed
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to xscreensaver in Ubuntu. https://bugs.launchpad.net/bugs/1073770 Title: Switchuser from user in Unity back to other logged in user in XFCE opens XFCE-user session with no password needed Status in “xscreensaver” package in Ubuntu: New Bug description: Ubuntu 12.04.1 64 bit: I have found what appears that it could be a serious security issue in a multi-user situation (e.g. a computer lab, etc). If user1 is using XFCE and the switchuser applet is used to switch to user2 in Unity then if user2 picks to switchuser from Unity back to user1 it opens the previous XFCE session for user1 without any password needed. Hopefully this description makes sense. I have checked and this is reproduced each time. Here is a simple summary when using the switchuser functions: user1-XFCE to user2-Unity = user2-password required, user2-Unity back to user1-XFCE = NO password required (SECURITY RISK, user1 account could be compromised) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xscreensaver/+bug/1073770/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
