[Desktop-packages] [Bug 1413790] Re: It's possible to bypasss lockscreen if user is in nopasswdlogin group.
This bug was fixed in the package unity - 7.2.4+14.04.20150316-0ubuntu1 --- unity (7.2.4+14.04.20150316-0ubuntu1) trusty; urgency=medium [ Andrea Azzarone ] * Avoid running potentially dangerous code paths when the screen is locked. (LP: #1410582) * Ungrab the shoutdown dialog as soon as possible. (LP: #1398287) * Use COMPIZ_METAKEY where needed. (LP: #1363534) * disabled Pointer Barriers during lockscreen (LP: #1401911) * disabled markup for VolumeLauncherIcon quicklist menu items (LP: #1413411) * enable Dash, Hud, and session dialogs over full screen window (LP: #1159249, #860970, #1413773, #1404486) * made unity unlockable if user is in nopsswdlogin group (LP: #1413790) * skipped the animation of BGHash on startup to prevent unwanted fade- in (LP: #1241757) [ Luke Yelavich ] * extended accessible exploration of the Dash dynamic content (LP: #1066157) [ Marco Trevisan (TreviƱo) ] * MenuManager: make sure menus are always shown when mouse is over them or when the always-show-menus option is on (LP: #955193, #1390562, #1374942, #1312137) * PanelService: use gdbus to notfy upstart of service start/stop (LP: #1302955) -- CI Train BotMon, 16 Mar 2015 17:30:35 + ** Changed in: unity (Ubuntu Trusty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dp-unity https://bugs.launchpad.net/bugs/1413790 Title: It's possible to bypasss lockscreen if user is in nopasswdlogin group. Status in Unity: Fix Released Status in Unity 7.2 series: In Progress Status in unity package in Ubuntu: Fix Released Status in unity source package in Trusty: Fix Released Bug description: [IMPACT] A user is presented with a password dialog even if a member of the nopasswdlogin group (and may not have a password). [TEST CASE] (1) Create a test user. (2) Add the test user to the nopasswdlogin group. (3) Log in to a Unity session using that acocunt. (4) Lock the screen. (5) Attempt to unlock the screen: no password prompt should be presented. [REGRESSION POTENTIAL] Conceivably allowing a login with no authentication could present unexpected vulnerabilities in which unforseen code paths also exercise this function. Care has been taken by the developer to avoid such cases. [OTHER INFO] The fix for Ubuntu 14.04 LTS was cherry picked from the Ubuntu "Vivid Vervet" dev release where it has been in production use for some time without apparent regression. To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1413790/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1413790] Re: It's possible to bypasss lockscreen if user is in nopasswdlogin group.
** Also affects: unity/7.2 Importance: Undecided Status: New ** Changed in: unity/7.2 Milestone: None => 7.2.5 ** Changed in: unity/7.2 Status: New => In Progress ** Changed in: unity/7.2 Importance: Undecided => Medium ** Changed in: unity Importance: Undecided => Medium ** Changed in: unity/7.2 Assignee: (unassigned) => Stephen M. Webb (bregma) ** Changed in: unity (Ubuntu) Importance: Undecided => Medium -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dp-unity https://bugs.launchpad.net/bugs/1413790 Title: It's possible to bypasss lockscreen if user is in nopasswdlogin group. Status in Unity: Fix Released Status in Unity 7.2 series: In Progress Status in unity package in Ubuntu: Fix Released Bug description: Lightdm should not emit logind "unlock" signal when the user is not prompted for a password. This can lead to a security issue: # Log-in (unity session). # Add the current user to nopasswdlogin group. # Lock the sessions. # Session indicator->Switch account... # "Login" in again. Expected behavior: The lockscreen is still active. Current behavior: The session in unlocked. We could workaround the issue directly in unity, but IMHO would be cleaner to avoid that lightdm is emitting the logind signal. To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1413790/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1413790] Re: It's possible to bypasss lockscreen if user is in nopasswdlogin group.
** Changed in: unity Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dp-unity https://bugs.launchpad.net/bugs/1413790 Title: It's possible to bypasss lockscreen if user is in nopasswdlogin group. Status in Unity: Fix Released Status in unity package in Ubuntu: Fix Released Bug description: Lightdm should not emit logind "unlock" signal when the user is not prompted for a password. This can lead to a security issue: # Log-in (unity session). # Add the current user to nopasswdlogin group. # Lock the sessions. # Session indicator->Switch account... # "Login" in again. Expected behavior: The lockscreen is still active. Current behavior: The session in unlocked. We could workaround the issue directly in unity, but IMHO would be cleaner to avoid that lightdm is emitting the logind signal. To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1413790/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1413790] Re: It's possible to bypasss lockscreen if user is in nopasswdlogin group.
This bug was fixed in the package unity - 7.3.1+15.04.20150126-0ubuntu1 --- unity (7.3.1+15.04.20150126-0ubuntu1) vivid; urgency=low [ Andrea Azzarone ] * Force icon size (new gtk requires it). (LP: #1404730) * Disable markup accel for VolumeLauncherIcon quicklist menu items. (LP: #1413411) * Make sure dragged icons are not rendered behind the dash. (LP: #1413773) * Make unity unlockable if user is in nopsswdlogin group. On super+l the screensaver is activated. (LP: #1413790) -- Ubuntu daily releaseMon, 26 Jan 2015 22:42:26 + ** Changed in: unity (Ubuntu) Status: In Progress => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dp-unity https://bugs.launchpad.net/bugs/1413790 Title: It's possible to bypasss lockscreen if user is in nopasswdlogin group. Status in Unity: In Progress Status in unity package in Ubuntu: Fix Released Bug description: Lightdm should not emit logind "unlock" signal when the user is not prompted for a password. This can lead to a security issue: # Log-in (unity session). # Add the current user to nopasswdlogin group. # Lock the sessions. # Session indicator->Switch account... # "Login" in again. Expected behavior: The lockscreen is still active. Current behavior: The session in unlocked. We could workaround the issue directly in unity, but IMHO would be cleaner to avoid that lightdm is emitting the logind signal. To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1413790/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1413790] Re: It's possible to bypasss lockscreen if user is in nopasswdlogin group.
** No longer affects: lightdm (Ubuntu) ** No longer affects: lightdm -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to unity in Ubuntu. Matching subscriptions: dp-unity https://bugs.launchpad.net/bugs/1413790 Title: It's possible to bypasss lockscreen if user is in nopasswdlogin group. Status in Unity: In Progress Status in unity package in Ubuntu: In Progress Bug description: Lightdm should not emit logind "unlock" signal when the user is not prompted for a password. This can lead to a security issue: # Log-in (unity session). # Add the current user to nopasswdlogin group. # Lock the sessions. # Session indicator->Switch account... # "Login" in again. Expected behavior: The lockscreen is still active. Current behavior: The session in unlocked. We could workaround the issue directly in unity, but IMHO would be cleaner to avoid that lightdm is emitting the logind signal. To manage notifications about this bug go to: https://bugs.launchpad.net/unity/+bug/1413790/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1413790] Re: It's possible to bypasss lockscreen if user is in nopasswdlogin group.
** Changed in: lightdm (Ubuntu) Status: New => Invalid ** Changed in: lightdm Status: New => Invalid -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. Matching subscriptions: dp-unity https://bugs.launchpad.net/bugs/1413790 Title: It's possible to bypasss lockscreen if user is in nopasswdlogin group. Status in Light Display Manager: Invalid Status in Unity: In Progress Status in lightdm package in Ubuntu: Invalid Status in unity package in Ubuntu: In Progress Bug description: Lightdm should not emit logind "unlock" signal when the user is not prompted for a password. This can lead to a security issue: # Log-in (unity session). # Add the current user to nopasswdlogin group. # Lock the sessions. # Session indicator->Switch account... # "Login" in again. Expected behavior: The lockscreen is still active. Current behavior: The session in unlocked. We could workaround the issue directly in unity, but IMHO would be cleaner to avoid that lightdm is emitting the logind signal. To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1413790/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1413790] Re: It's possible to bypasss lockscreen if user is in nopasswdlogin group.
In fact, the User Accounts applet in the Settings allows creating a user with no password by putting it in the nopasswdlogin group, but as soon as the screen lock comes up, the user is unable to unlock the screen. So the screen lock definitely needs to honour the nopasswdlogin group, and this is a bug with no real security implications. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1413790 Title: It's possible to bypasss lockscreen if user is in nopasswdlogin group. Status in Light Display Manager: New Status in Unity: In Progress Status in lightdm package in Ubuntu: New Status in unity package in Ubuntu: In Progress Bug description: Lightdm should not emit logind "unlock" signal when the user is not prompted for a password. This can lead to a security issue: # Log-in (unity session). # Add the current user to nopasswdlogin group. # Lock the sessions. # Session indicator->Switch account... # "Login" in again. Expected behavior: The lockscreen is still active. Current behavior: The session in unlocked. We could workaround the issue directly in unity, but IMHO would be cleaner to avoid that lightdm is emitting the logind signal. To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1413790/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp