Bug#433259: gdm: switched user get access to previous logged in user without a password
On Mon, 2007-07-16 at 11:49 +0200, Josselin Mouette wrote: > Le lundi 16 juillet 2007 à 01:29 +0300, Martin Dimitrov a écrit : > > When loged user make a "switch user" and other user log on. After new user > > finish his work > > and want to log off he immediately get access to previous loged in user > > without need to type a password! > > What method do you use to switch user? If it is in the logout menu, the > screen should be locked on the inactive screen. After upgrading most of GNOME to 2.20 (this includes gnome-panel, gnome-screensaver, fast-user-switch-applet but not gdm) I can only reproduce this using "Switch User" from the "Log out" menu in gnome-panel. The rest of the methods to switch user (from gnome-screensaver, fusa, gdmflexiserver) works and locks the screen. It would be great if someone else could confirm this. -- Cheers, Sven Arvidsson http://www.whiz.se PGP Key ID 760BDD22 signature.asc Description: This is a digitally signed message part
Bug#433259: gdm: switched user get access to previous logged in user without a password
On Mon, 2007-07-16 at 11:49 +0200, Josselin Mouette wrote: > Le lundi 16 juillet 2007 à 01:29 +0300, Martin Dimitrov a écrit : > > When loged user make a "switch user" and other user log on. After new user > > finish his work > > and want to log off he immediately get access to previous loged in user > > without need to type a password! > > What method do you use to switch user? If it is in the logout menu, the > screen should be locked on the inactive screen. > > Is gnome-screensaver or xscreensaver installed? I can confirm this bug, when using the logout menu, or fast-user-switch-applet, the screen isn't always locked. It does seem to work if I use gdmflexiserver to switch instead. Curiously, the locking seems to start working after a little while, at least with fast-user-switch-applet. I'm using gnome-screensaver. -- Cheers, Sven Arvidsson http://www.whiz.se PGP Key ID 760BDD22 signature.asc Description: This is a digitally signed message part
Bug#433259: gdm: switched user get access to previous logged in user without a password
hi, I can confirm the bug. After logout from gnome session I don't see gdm login screen but session of previous user (if any user remained login and was switched). Latest unstable. regards, -- Milan Kocian <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#433259: gdm: switched user get access to previous logged in user without a password
Le lundi 16 juillet 2007 à 01:29 +0300, Martin Dimitrov a écrit : > Package: gdm > Version: 2.18.2-1 > Severity: critical > Tags: security > Justification: root security hole > > When loged user make a "switch user" and other user log on. After new user > finish his work > and want to log off he immediately get access to previous loged in user > without need to type a password! What method do you use to switch user? If it is in the logout menu, the screen should be locked on the inactive screen. Is gnome-screensaver or xscreensaver installed? -- .''`. : :' : We are debian.org. Lower your prices, surrender your code. `. `' We will add your hardware and software distinctiveness to `-our own. Resistance is futile.
Bug#433259: gdm: switched user get access to previous logged in user without a password
On Mon, Jul 16, 2007, Martin Dimitrov wrote: > When loged user make a "switch user" and other user log on. After new user > finish his work > and want to log off he immediately get access to previous loged in user > without need to type a password! You mean local users on the console of the machine? You can switch displays by Ctrl-Alt-Fxx anyway, no? -- Loïc Minier
Bug#433259: gdm: switched user get access to previous logged in user without a password
Package: gdm Version: 2.18.2-1 Severity: critical Tags: security Justification: root security hole When loged user make a "switch user" and other user log on. After new user finish his work and want to log off he immediately get access to previous loged in user without need to type a password! -- System Information: Debian Release: lenny/sid APT prefers testing-proposed-updates APT policy: (500, 'testing-proposed-updates'), (500, 'proposed-updates'), (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.18-5-k7 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages gdm depends on: ii adduser3.103 Add and remove users and groups ii debconf [debconf-2.0] 1.5.13Debian configuration management sy ii gksu 2.0.0-4 graphical frontend to su ii gnome-session 2.18.2-2 The GNOME 2 Session Manager ii gnome-terminal [x-terminal 2.18.1-1 The GNOME 2 terminal emulator appl ii libart-2.0-2 2.3.19-3 Library of functions for 2D graphi ii libatk1.0-01.18.0-2 The ATK accessibility toolkit ii libattr1 1:2.4.32-1.1 Extended attribute shared library ii libc6 2.5-9+b1 GNU C Library: Shared libraries ii libcairo2 1.4.10-1 The Cairo 2D vector graphics libra ii libdbus-1-31.1.1-3 simple interprocess messaging syst ii libdbus-glib-1-2 0.73-2simple interprocess messaging syst ii libdmx11:1.0.2-2 X11 Distributed Multihead extensio ii libfontconfig1 2.4.2-1.2 generic font configuration library ii libglade2-01:2.6.1-1 library to load .glade files at ru ii libglib2.0-0 2.12.12-1+b1 The GLib library of C routines ii libgnomecanvas2-0 2.14.0-3 A powerful object-oriented display ii libgtk2.0-02.10.13-1 The GTK+ graphical user interface ii libpam-modules 0.79-4Pluggable Authentication Modules f ii libpam-runtime 0.79-4Runtime support for the PAM librar ii libpam0g 0.79-4Pluggable Authentication Modules l ii libpango1.0-0 1.16.4-1 Layout and rendering of internatio ii libpopt0 1.10-3lib for parsing cmdline parameters ii librsvg2-2 2.16.1-2 SAX-based renderer library for SVG ii librsvg2-common2.16.1-2 SAX-based renderer library for SVG ii libselinux12.0.15-2+b1 SELinux shared libraries ii libwrap0 7.6.dbs-13Wietse Venema's TCP wrappers libra ii libx11-6 2:1.0.3-7 X11 client-side library ii libxau61:1.0.3-2 X11 authorisation library ii libxcursor11:1.1.8-2 X cursor management library ii libxdmcp6 1:1.0.2-2 X11 Display Manager Control Protoc ii libxext6 1:1.0.3-2 X11 miscellaneous extension librar ii libxfixes3 1:4.0.3-2 X11 miscellaneous 'fixes' extensio ii libxi6 1:1.0.1-4 X11 Input extension library ii libxinerama1 1:1.0.2-1 X11 Xinerama extension library ii libxml22.6.29.dfsg-1 GNOME XML library ii libxrandr2 2:1.2.1-1 X11 RandR extension library ii libxrender11:0.9.2-1 X Rendering Extension client libra ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip ii metacity [x-window-manager 1:2.14.5-4A lightweight GTK2 based Window Ma ii rxvt [x-terminal-emulator] 1:2.6.4-10VT102 terminal emulator for the X ii twm [x-window-manager] 1:1.0.3-2 Tab window manager ii xbase-clients 1:7.2.ds2-2 miscellaneous X clients ii xterm [x-terminal-emulator 226-1 X terminal emulator Versions of packages gdm recommends: ii dialog1.1-20070604-1 Displays user-friendly dialog boxe ii gdm-themes0.5.1 Themes for the GNOME Display Manag ii whiptail 0.52.2-10 Displays user-friendly dialog boxe ii zenity2.18.2-1 Display graphical dialog boxes fro -- debconf information: gdm/daemon_name: /usr/bin/gdm * shared/default-x-display-manager: gdm -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]