Bug#854344: Password dialog can be skipped using lightdm autologin feature
On Sun, 2017-03-12 at 14:28 +0100, Margarita Manterola wrote: > Hi, > > On 2017-03-12 14:11, Yves-Alexis Perez wrote: > > Agreed, it looks to me like it's running more or less as intended. Can > > you be > > a little bit more specific on what would be the expected behavior from > > your > > point of view? > > From my understanding of Ivar's report, the feature request would be to > separate the autologin functionality for starting a new session from > unlocking an existing session that is locked by a screensaver. Unfortunately, and as far as I can tell, lightdm doesn't have any indication whether it's running in “login” or “unlocking” mode. It's the exact same thing for it, so it definitely behaves as intended. If it's not what's the user want, I would advise against using light-locker/lightdm and use another lockscreen. Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#854344: Password dialog can be skipped using lightdm autologin feature
Hi, On 2017-03-12 14:11, Yves-Alexis Perez wrote: Agreed, it looks to me like it's running more or less as intended. Can you be a little bit more specific on what would be the expected behavior from your point of view? From my understanding of Ivar's report, the feature request would be to separate the autologin functionality for starting a new session from unlocking an existing session that is locked by a screensaver. -- Regards, Marga
Bug#854344: Password dialog can be skipped using lightdm autologin feature
On Sun, 12 Mar 2017 12:48:03 +0100 Margarita Manterolawrote: > reassign -1 lightdm 1.18.3-1 > retitle -1 Screensaver lock can be skipped using lightdm autologin > feature > > Hi, > > On 2017-02-06 10:25, Ivar Smolin wrote: > > If user locks the screen with cinnamon-screensaver, the password dialog > > can be skipped if lightdm autologin feature is enabled. > > I've verified that this is exactly the same if the user uses the KDE > screensaver, so I'm reassigning the bug to lightdm. > > > Scenario: > > 1. Lock the screen > > 2. Use "Switch users" button to activate the lightdm screen > > 3. Wait until lightdm autologin timeout is over > > 4. User desktop is activated > > While I understand that this might be confusing and not what the user > expects (in some very specific situations), I don't think this is a > "security" bug. It seems to me that this is basically working as > intended, and that changing the behavior is a feature request to allow > very specific usecases (i.e. not having to type 2 passwords if your disk > is encrypted or having a session start automatically and then get locked > automatically). > > Still, I'll let the lightdm maintainers decide on that. Agreed, it looks to me like it's running more or less as intended. Can you be a little bit more specific on what would be the expected behavior from your point of view? Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#854344: Password dialog can be skipped using lightdm autologin feature
reassign -1 lightdm 1.18.3-1 retitle -1 Screensaver lock can be skipped using lightdm autologin feature Hi, On 2017-02-06 10:25, Ivar Smolin wrote: If user locks the screen with cinnamon-screensaver, the password dialog can be skipped if lightdm autologin feature is enabled. I've verified that this is exactly the same if the user uses the KDE screensaver, so I'm reassigning the bug to lightdm. Scenario: 1. Lock the screen 2. Use "Switch users" button to activate the lightdm screen 3. Wait until lightdm autologin timeout is over 4. User desktop is activated While I understand that this might be confusing and not what the user expects (in some very specific situations), I don't think this is a "security" bug. It seems to me that this is basically working as intended, and that changing the behavior is a feature request to allow very specific usecases (i.e. not having to type 2 passwords if your disk is encrypted or having a session start automatically and then get locked automatically). Still, I'll let the lightdm maintainers decide on that. -- Regards, Marga
Bug#854344: Password dialog can be skipped using lightdm autologin feature
Package: cinnamon-screensaver Version: 3.2.13-1 Severity: normal Tags: security If user locks the screen with cinnamon-screensaver, the password dialog can be skipped if lightdm autologin feature is enabled. Scenario: 1. Lock the screen 2. Use "Switch users" button to activate the lightdm screen 3. Wait until lightdm autologin timeout is over 4. User desktop is activated Autologin parameters enabled in lightdm config (section [Seat:*]): # diff /etc/lightdm/lightdm.conf /etc/lightdm/lightdm.conf.original 122,123c122,123 < autologin-user=okul < autologin-user-timeout=2 --- > #autologin-user= > #autologin-user-timeout=0 lightdm version: ii lightdm 1.18.3-1 I generated two user cases to explain the problem and also tested them in my computer. In both cases the password dialog can be skipped using autologin feature. Case 1: User data is protected by hard disk partition password. This case is applicable for single user computer if user wants to avoid entering two passwords during bootup. Hard disk partition is encrypted. Accessing data requires to enter password during bootup process. After entering password, the display manager logs user in automatically. Case 2: User data is protected by autolocking screen after autologin This case is applicable for user who wants to log in automatically (to continue downloads, to start audio player, etc...) but also to protect his/her data. Screen locking is activated by session startup programs. Display manager logs user in automatically and locks screen. -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-1-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages cinnamon-screensaver depends on: ii cinnamon-desktop-data 3.2.4-3 ii gir1.2-accountsservice-1.0 0.6.43-1 ii gir1.2-cinnamondesktop-3.0 3.2.4-3 ii gir1.2-gkbd-3.0 3.22.0.1-1 ii gir1.2-glib-2.0 1.50.0-1 ii gir1.2-gtk-3.0 3.22.6-1 ii gir1.2-xapp-1.0 1.0.2-1 ii iso-flags-png-320x240 1.0.1-1 ii libc6 2.24-8 ii libcscreensaver03.2.13-1 ii libglib2.0-02.50.2-2 ii libgtk-3-0 3.22.6-1 ii python3 3.5.3-1 ii python3-gi 3.22.0-2 ii python3-gi-cairo3.22.0-2 ii python3-setproctitle1.1.10-1 ii python3-xlib0.14+20091101-5 pn python3:any pn python:any Versions of packages cinnamon-screensaver recommends: ii cinnamon-screensaver-x-plugin 3.2.13-1 Versions of packages cinnamon-screensaver suggests: pn cinnamon-screensaver-webkit-plugin -- no debconf information # # General configuration # # start-default-seat = True to always start one seat if none are defined in the configuration # greeter-user = User to run greeter as # minimum-display-number = Minimum display number to use for X servers # minimum-vt = First VT to run displays on # lock-memory = True to prevent memory from being paged to disk # user-authority-in-system-dir = True if session authority should be in the system location # guest-account-script = Script to be run to setup guest account # logind-check-graphical = True to on start seats that are marked as graphical by logind # log-directory = Directory to log information to # run-directory = Directory to put running state in # cache-directory = Directory to cache to # sessions-directory = Directory to find sessions # remote-sessions-directory = Directory to find remote sessions # greeters-directory = Directory to find greeters # backup-logs = True to move add a .old suffix to old log files when opening new ones # [LightDM] #start-default-seat=true #greeter-user=lightdm #minimum-display-number=0 #minimum-vt=7 #lock-memory=true #user-authority-in-system-dir=false #guest-account-script=guest-account #logind-check-graphical=false #log-directory=/var/log/lightdm #run-directory=/var/run/lightdm #cache-directory=/var/cache/lightdm #sessions-directory=/usr/share/lightdm/sessions:/usr/share/xsessions:/usr/share/wayland-sessions #remote-sessions-directory=/usr/share/lightdm/remote-sessions #greeters-directory=/usr/share/lightdm/greeters:/usr/share/xgreeters #backup-logs=true # # Seat configuration # # Seat configuration is matched against the seat name glob in the section, for example: # [Seat:*] matches all seats and is applied first. # [Seat:seat0] matches the seat named "seat0". # [Seat:seat-thin-client*] matches all seats that have names that start with "seat-thin-client". # # type = Seat type (xlocal, xremote, unity) # pam-service = PAM service to use for login # pam-autologin-service = PAM service to use for autologin # pam-greeter-service = PAM service to use for greeters # xserver-command = X