desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #113121
[Bug 1413790] Re: It's possible to bypasss lockscreen if user is in nopasswdlogin group.
This bug was fixed in the package unity - 7.2.4+14.04.20150316-0ubuntu1
---------------
unity (7.2.4+14.04.20150316-0ubuntu1) trusty; urgency=medium
[ Andrea Azzarone ]
* Avoid running potentially dangerous code paths when the screen is
locked. (LP: #1410582)
* Ungrab the shoutdown dialog as soon as possible. (LP: #1398287)
* Use COMPIZ_METAKEY where needed. (LP: #1363534)
* disabled Pointer Barriers during lockscreen (LP: #1401911)
* disabled markup for VolumeLauncherIcon quicklist menu items (LP:
#1413411)
* enable Dash, Hud, and session dialogs over full screen window (LP:
#1159249, #860970, #1413773, #1404486)
* made unity unlockable if user is in nopsswdlogin group (LP:
#1413790)
* skipped the animation of BGHash on startup to prevent unwanted fade-
in (LP: #1241757)
[ Luke Yelavich ]
* extended accessible exploration of the Dash dynamic content (LP:
#1066157)
[ Marco Trevisan (Treviño) ]
* MenuManager: make sure menus are always shown when mouse is over
them or when the always-show-menus option is on (LP: #955193,
#1390562, #1374942, #1312137)
* PanelService: use gdbus to notfy upstart of service start/stop (LP:
#1302955)
-- CI Train Bot <ci-train-bot@xxxxxxxxxxxxx> Mon, 16 Mar 2015 17:30:35 +0000
** Changed in: unity (Ubuntu Trusty)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dp-unity
https://bugs.launchpad.net/bugs/1413790
Title:
It's possible to bypasss lockscreen if user is in nopasswdlogin group.
Status in Unity:
Fix Released
Status in Unity 7.2 series:
In Progress
Status in unity package in Ubuntu:
Fix Released
Status in unity source package in Trusty:
Fix Released
Bug description:
[IMPACT]
A user is presented with a password dialog even if a member of the nopasswdlogin group (and may not have a password).
[TEST CASE]
(1) Create a test user.
(2) Add the test user to the nopasswdlogin group.
(3) Log in to a Unity session using that acocunt.
(4) Lock the screen.
(5) Attempt to unlock the screen: no password prompt should be presented.
[REGRESSION POTENTIAL]
Conceivably allowing a login with no authentication could present
unexpected vulnerabilities in which unforseen code paths also exercise
this function. Care has been taken by the developer to avoid such
cases.
[OTHER INFO]
The fix for Ubuntu 14.04 LTS was cherry picked from the Ubuntu "Vivid
Vervet" dev release where it has been in production use for some time
without apparent regression.
To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1413790/+subscriptions