← Back to team overview

desktop-packages team mailing list archive

[Bug 1413790] Re: It's possible to bypasss lockscreen if user is in nopasswdlogin group.

 

In fact, the User Accounts applet in the Settings allows creating a user
with no password by putting it in the nopasswdlogin group, but as soon
as the screen lock comes up, the user is unable to unlock the screen.

So the screen lock definitely needs to honour the nopasswdlogin group,
and this is a bug with no real security implications.

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1413790

Title:
  It's possible to bypasss lockscreen if user is in nopasswdlogin group.

Status in Light Display Manager:
  New
Status in Unity:
  In Progress
Status in lightdm package in Ubuntu:
  New
Status in unity package in Ubuntu:
  In Progress

Bug description:
  Lightdm should not emit logind "unlock" signal when the user is not
  prompted for a password. This can lead to a security issue:

  # Log-in (unity session).
  # Add the current user to nopasswdlogin group.
  # Lock the sessions.
  # Session indicator->Switch account...
  # "Login" in again.

  Expected behavior:
  The lockscreen is still active.

  Current behavior:
  The session in unlocked.

  We could workaround the issue directly in unity, but IMHO would be
  cleaner to avoid that lightdm is emitting the logind signal.

To manage notifications about this bug go to:
https://bugs.launchpad.net/lightdm/+bug/1413790/+subscriptions