touch-packages team mailing list archive

Thread
Date

[Bug 1413790] Re: It's possible to bypasss lockscreen if user is in nopasswdlogin group.

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: "Stephen M. Webb" <stephen.webb@xxxxxxxxxxxxx>
Date: Wed, 18 Mar 2015 02:14:21 -0000
Reply-to: Bug 1413790 <1413790@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: unity (Ubuntu Trusty)
       Status: New => In Progress

** Changed in: unity (Ubuntu Trusty)
   Importance: Undecided => Medium

** Changed in: unity (Ubuntu Trusty)
     Assignee: (unassigned) => Stephen M. Webb (bregma)

** Description changed:

- Lightdm should not emit logind "unlock" signal when the user is not
- prompted for a password. This can lead to a security issue:
+ [IMPACT]
+ A user is presented with a password dialog even if a member of the nopasswdlogin group (and may not have a password).
  
- # Log-in (unity session).
- # Add the current user to nopasswdlogin group.
- # Lock the sessions.
- # Session indicator->Switch account...
- # "Login" in again.
+ [TEST CASE]
  
- Expected behavior:
- The lockscreen is still active.
+ (1) Create a test user.
+ (2) Add the test user to the nopasswdlogin group.
+ (3) Log in to a Unity session using that acocunt.
+ (4) Lock the screen.
+ (5) Attempt to unlock the screen:  no password prompt should be presented.
  
- Current behavior:
- The session in unlocked.
+ [REGRESSION POTENTIAL]
  
- We could workaround the issue directly in unity, but IMHO would be
- cleaner to avoid that lightdm is emitting the logind signal.
+ Conceivably allowing a login with no authentication could present
+ unexpected vulnerabilities in which unforseen code paths also exercise
+ this function.  Care has been taken by the developer to avoid such
+ cases.
+ 
+ [OTHER INFO]
+ 
+ The fix for Ubuntu 14.04 LTS was cherry picked from the Ubuntu "Vivid
+ Vervet" dev release where it has been in production use for some time
+ without apparent regression.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to unity in Ubuntu.
https://bugs.launchpad.net/bugs/1413790

Title:
  It's possible to bypasss lockscreen if user is in nopasswdlogin group.

Status in Unity:
  Fix Released
Status in Unity 7.2 series:
  In Progress
Status in unity package in Ubuntu:
  Fix Released
Status in unity source package in Trusty:
  In Progress

Bug description:
  [IMPACT]
  A user is presented with a password dialog even if a member of the nopasswdlogin group (and may not have a password).

  [TEST CASE]

  (1) Create a test user.
  (2) Add the test user to the nopasswdlogin group.
  (3) Log in to a Unity session using that acocunt.
  (4) Lock the screen.
  (5) Attempt to unlock the screen:  no password prompt should be presented.

  [REGRESSION POTENTIAL]

  Conceivably allowing a login with no authentication could present
  unexpected vulnerabilities in which unforseen code paths also exercise
  this function.  Care has been taken by the developer to avoid such
  cases.

  [OTHER INFO]

  The fix for Ubuntu 14.04 LTS was cherry picked from the Ubuntu "Vivid
  Vervet" dev release where it has been in production use for some time
  without apparent regression.

To manage notifications about this bug go to:
https://bugs.launchpad.net/unity/+bug/1413790/+subscriptions