← Back to team overview

dx-packages team mailing list archive

[Bug 1291547] [NEW] Locking the screen doesn't really lock under certain circumstances

 

Public bug reported:

When the screen is locked while an action causes a window to gain focus,
it allows full keyboard interaction with the locked session. I was able
to trigger this behaviour doing one of the following:

* Changing to a desktop with at least one window on it and, without releasing Ctrl+Alt, pressing L to lock the screen
* While dragging a window, lock the screen using the keyboard shortcut
* While Alt+Tab-ing, lock the screen without releasing the Alt key

In all cases, a window can gain focus after the screen was locked and all keyboard input goes to that window. Also, the window switcher remains fully functional and even shows the window previews like it would normally. It's even possible to open applications using keyboard shortcuts, for example a terminal.
To enter the password and unlock the session, the password field needs to be focused by opening and closing an indicator in the lockscreen and then clicking the password field.

While most of these actions aren't something a normal user would do,
they clearly show that the new lockscreen is far less secure than the
old one. The first trigger action is even something I've done in the
past during normal use, switching to a desktop and then locking the
session, so I would say there is at least a small "real" security risk
in this.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: unity 7.1.2+14.04.20140311-0ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-17.37-generic 3.13.6
Uname: Linux 3.13.0-17-generic x86_64
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins'
CurrentDesktop: Unity
Date: Wed Mar 12 18:36:09 2014
InstallationDate: Installed on 2014-02-24 (16 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140223)
SourcePackage: unity
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: unity (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug lockscreen trusty

-- 
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1291547

Title:
  Locking the screen doesn't really lock under certain circumstances

Status in “unity” package in Ubuntu:
  New

Bug description:
  When the screen is locked while an action causes a window to gain
  focus, it allows full keyboard interaction with the locked session. I
  was able to trigger this behaviour doing one of the following:

  * Changing to a desktop with at least one window on it and, without releasing Ctrl+Alt, pressing L to lock the screen
  * While dragging a window, lock the screen using the keyboard shortcut
  * While Alt+Tab-ing, lock the screen without releasing the Alt key

  In all cases, a window can gain focus after the screen was locked and all keyboard input goes to that window. Also, the window switcher remains fully functional and even shows the window previews like it would normally. It's even possible to open applications using keyboard shortcuts, for example a terminal.
  To enter the password and unlock the session, the password field needs to be focused by opening and closing an indicator in the lockscreen and then clicking the password field.

  While most of these actions aren't something a normal user would do,
  they clearly show that the new lockscreen is far less secure than the
  old one. The first trigger action is even something I've done in the
  past during normal use, switching to a desktop and then locking the
  session, so I would say there is at least a small "real" security risk
  in this.

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: unity 7.1.2+14.04.20140311-0ubuntu1
  ProcVersionSignature: Ubuntu 3.13.0-17.37-generic 3.13.6
  Uname: Linux 3.13.0-17-generic x86_64
  ApportVersion: 2.13.3-0ubuntu1
  Architecture: amd64
  CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins'
  CurrentDesktop: Unity
  Date: Wed Mar 12 18:36:09 2014
  InstallationDate: Installed on 2014-02-24 (16 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140223)
  SourcePackage: unity
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1291547/+subscriptions


Follow ups

References