Ubuntu
gdm package

Switching back to an user account needs no password

Bug #89219 reported by Manuel Hermann
256
Affects Status Importance Assigned to Milestone
gdm (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

You can switch back to a logged in user account without entering the password, if the user logged of using switch user.

Reproducable on 6.10:
1. Log in to an user account using GDM
2. Log out via switch user
3. Back in GDM hit <ctrl><alt><backspace> and you're in

This seems to work only once: You cannot switch the user, hit <ctrl><alt><backspace>, switch the user and hit the three keys again. Then you are asked for the password. To work again you have to log out and log in again.

Revision history for this message
Slobodan D. Sredojevic (sredojevics) wrote :

Can you add "User Switcher" - "A menu to quickly switch between users" applet to your panel, then right click on it and select "Preferences" and see if "Lock the screen after switching users" is on?

Revision history for this message
Manuel Hermann (hermann-scan-plus) wrote : Re: [Bug 89219] Re: Switching back to an user account needs no password

Am Freitag, den 02.03.2007, 14:55 +0000 schrieb Slobodan D. Sredojevic:
> Can you add "User Switcher" - "A menu to quickly switch between users"
> applet to your panel, then right click on it and select "Preferences"
> and see if "Lock the screen after switching users" is on?

Yes, this option is on.

Revision history for this message
Sebastien Bacher (seb128) wrote :

Do you have gnome-screensaver running?

Revision history for this message
Christof Krüger (christofkr) wrote :

I can reproduce it with current feisty without having the fast-user-switch applet installed.

I works for the first time only and leaves my session completely unlocked even though gnome-screensaver is running.

I would consider it as quite serious security problem. Imagine you make a break for shopping and let your small 12yo brother login to his restricted account. Smart as your brother is, he switches VCs and does whatever he wants with your data. Replace "brother" with "coworker", "wife" or "guinea pig" at will.

Changed in gdm:
status: Unconfirmed → Confirmed
Revision history for this message
Christof Krüger (christofkr) wrote :

Sorry for the bugspam....

I looked around a bit and found out that indeed gnome-screensaver did not run *yet*. After login, it took more than half a minute until gnome-screensaver actually started. Gnome-panel has already fully loaded at this time. So the problem still exists, however it seems not to be _that_ critical any more.

But the use case remains:

In the morning, Christof starts his computer and logs in. He launches some programs using the launchers on the gnome-panel which already loaded. His girlfriend -- bringing freshly brewed coffee -- wants to check her mail. Christof agrees (the coffee is all he focuses on at the moment) and clicks on "switch user". Unfortunately, gnome-screensaver was even sleepier than Christof was (delayed further by the increased load resulting from starting multiple applications) and did not start up yet. Now, Christof's session idles around, fully unprotected. Fortunately, this story has a happy end: Christof's girlfriend does not know how to switch consoles or to kill the x-server.

Above example is not too uncommon because it already happened to me several times. This is the reason I've searched for the bug report in the first place.

Just for the record: My PC is an Athlon XP running with 1.7Ghz having 1024MB RAM available.

Revision history for this message
Sebastien Bacher (seb128) wrote :

That should be fixed in gutsy with consolekit, closing the bug, feel free to reopen if you still get the issue though

Changed in gdm:
importance: Undecided → Medium
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.