In fact, the User Accounts applet in the Settings allows creating a user with no password by putting it in the nopasswdlogin group, but as soon as the screen lock comes up, the user is unable to unlock the screen.
So the screen lock definitely needs to honour the nopasswdlogin group, and this is a bug with no real security implications. ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to unity in Ubuntu. https://bugs.launchpad.net/bugs/1413790 Title: It's possible to bypasss lockscreen if user is in nopasswdlogin group. Status in Light Display Manager: New Status in Unity: In Progress Status in lightdm package in Ubuntu: New Status in unity package in Ubuntu: In Progress Bug description: Lightdm should not emit logind "unlock" signal when the user is not prompted for a password. This can lead to a security issue: # Log-in (unity session). # Add the current user to nopasswdlogin group. # Lock the sessions. # Session indicator->Switch account... # "Login" in again. Expected behavior: The lockscreen is still active. Current behavior: The session in unlocked. We could workaround the issue directly in unity, but IMHO would be cleaner to avoid that lightdm is emitting the logind signal. To manage notifications about this bug go to: https://bugs.launchpad.net/lightdm/+bug/1413790/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp