FS#53958 - [gdm] Gnome lockscreen easily bypassed
Attached to Project:
Arch Linux
Opened by Alphazo (alphazo) - Sunday, 07 May 2017, 08:34 GMT
Last edited by Toolybird (Toolybird) - Monday, 29 May 2023, 03:25 GMT
Opened by Alphazo (alphazo) - Sunday, 07 May 2017, 08:34 GMT
Last edited by Toolybird (Toolybird) - Monday, 29 May 2023, 03:25 GMT
|
Details
I felt bad when my 9 year old daugther unlocked my screen
without knowing my password. All she had to do was to click
on "Login as a different user" and she was on my desktop
(I'm talking about the current running session, not a new
one) without any further notice. Ouch!
Now this may be related to the unusual configuration that I'm using. Since I'm running full disk encryption I have enabled autologin in my GDM. I also had to revert back Xorg (vs Wayland) because Guake F12 key would only work with an application window on the dekstop (doesn't work with empty desktop). Lastly I couldn't revert back the trackpad direction (natural) that Wayland is forcing even using GUI or config files. Anyway, this configuration has worked for years and I believe I tried the "Login as a different user" before and it used to prompt me for a username. So here is /etc/gdm/custom.conf # GDM configuration storage [daemon] # Uncoment the line below to force the login screen to use Xorg AutomaticLogin=alpha AutomaticLoginEnable=True WaylandEnable=false [security] [xdmcp] [greeter] [chooser] [debug] # Uncomment the line below to turn on debugging #Enable=true |
This task depends upon
Closed by Toolybird (Toolybird)
Monday, 29 May 2023, 03:25 GMT
Reason for closing: No response
Additional comments about closing: Plus it's old and stale. If still an issue, please report upstream.
Monday, 29 May 2023, 03:25 GMT
Reason for closing: No response
Additional comments about closing: Plus it's old and stale. If still an issue, please report upstream.
I hope there is way to turn it back on and avoid the bypass "feature".
I have found a similar bug of bypassing the User Lock Screen on Manjaro Deepin Linux which is based on Arch Linux.
But before double-posting I would like to provide you with the link of my Issue and the reproduction steps of the Bug so you can tell if we are talking about the same thing.
https://github.com/linuxdeepin/developer-center/issues/286
Also if you happen to reproduce this bug by mistake and it is not related to the bug I disclosed on the Manjaro Deepin Linux community you can use the command dmesg to show the debug messages from the kernel and paste that information here so the community can understand more easily what the bug is and maybe to reproduce the same results as yours.
Best regards,
Aldi!
@Doug, I don't find that behavior normal since unlocking a screenlock sounds rather different than login in as a different user. I have been using this setup for many years and unlocking the screen always used to require a password, and thus wathever link you are cliking on. I believe that this behavior has changed recently. To avoid misleading people, lockscreen should be either disabled completely, proper login/password should be enforced when clicking on "Login as a different user" or the link to "Login as a different user" disabled when using GDM's Automatic Login feature.