dx-packages team mailing list archive
-
dx-packages team
-
Mailing list archive
-
Message #10670
[Bug 1291547] [NEW] Locking the screen doesn't really lock under certain circumstances
Public bug reported:
When the screen is locked while an action causes a window to gain focus,
it allows full keyboard interaction with the locked session. I was able
to trigger this behaviour doing one of the following:
* Changing to a desktop with at least one window on it and, without releasing Ctrl+Alt, pressing L to lock the screen
* While dragging a window, lock the screen using the keyboard shortcut
* While Alt+Tab-ing, lock the screen without releasing the Alt key
In all cases, a window can gain focus after the screen was locked and all keyboard input goes to that window. Also, the window switcher remains fully functional and even shows the window previews like it would normally. It's even possible to open applications using keyboard shortcuts, for example a terminal.
To enter the password and unlock the session, the password field needs to be focused by opening and closing an indicator in the lockscreen and then clicking the password field.
While most of these actions aren't something a normal user would do,
they clearly show that the new lockscreen is far less secure than the
old one. The first trigger action is even something I've done in the
past during normal use, switching to a desktop and then locking the
session, so I would say there is at least a small "real" security risk
in this.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: unity 7.1.2+14.04.20140311-0ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-17.37-generic 3.13.6
Uname: Linux 3.13.0-17-generic x86_64
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins'
CurrentDesktop: Unity
Date: Wed Mar 12 18:36:09 2014
InstallationDate: Installed on 2014-02-24 (16 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140223)
SourcePackage: unity
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: unity (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug lockscreen trusty
--
You received this bug notification because you are a member of DX
Packages, which is subscribed to unity in Ubuntu.
Matching subscriptions: dx-packages
https://bugs.launchpad.net/bugs/1291547
Title:
Locking the screen doesn't really lock under certain circumstances
Status in “unity” package in Ubuntu:
New
Bug description:
When the screen is locked while an action causes a window to gain
focus, it allows full keyboard interaction with the locked session. I
was able to trigger this behaviour doing one of the following:
* Changing to a desktop with at least one window on it and, without releasing Ctrl+Alt, pressing L to lock the screen
* While dragging a window, lock the screen using the keyboard shortcut
* While Alt+Tab-ing, lock the screen without releasing the Alt key
In all cases, a window can gain focus after the screen was locked and all keyboard input goes to that window. Also, the window switcher remains fully functional and even shows the window previews like it would normally. It's even possible to open applications using keyboard shortcuts, for example a terminal.
To enter the password and unlock the session, the password field needs to be focused by opening and closing an indicator in the lockscreen and then clicking the password field.
While most of these actions aren't something a normal user would do,
they clearly show that the new lockscreen is far less secure than the
old one. The first trigger action is even something I've done in the
past during normal use, switching to a desktop and then locking the
session, so I would say there is at least a small "real" security risk
in this.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: unity 7.1.2+14.04.20140311-0ubuntu1
ProcVersionSignature: Ubuntu 3.13.0-17.37-generic 3.13.6
Uname: Linux 3.13.0-17-generic x86_64
ApportVersion: 2.13.3-0ubuntu1
Architecture: amd64
CompizPlugins: No value set for `/apps/compiz-1/general/screen0/options/active_plugins'
CurrentDesktop: Unity
Date: Wed Mar 12 18:36:09 2014
InstallationDate: Installed on 2014-02-24 (16 days ago)
InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Alpha amd64 (20140223)
SourcePackage: unity
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1291547/+subscriptions
Follow ups
References