FS#53958 - [gdm] Gnome lockscreen easily bypassed

Attached to Project: Arch Linux
Opened by Alphazo (alphazo) - Sunday, 07 May 2017, 08:34 GMT
Last edited by Toolybird (Toolybird) - Monday, 29 May 2023, 03:25 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Jan de Groot (JGC)
Jan Alexander Steffens (heftig)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

I felt bad when my 9 year old daugther unlocked my screen without knowing my password. All she had to do was to click on "Login as a different user" and she was on my desktop (I'm talking about the current running session, not a new one) without any further notice. Ouch!

Now this may be related to the unusual configuration that I'm using. Since I'm running full disk encryption I have enabled autologin in my GDM. I also had to revert back Xorg (vs Wayland) because Guake F12 key would only work with an application window on the dekstop (doesn't work with empty desktop). Lastly I couldn't revert back the trackpad direction (natural) that Wayland is forcing even using GUI or config files. Anyway, this configuration has worked for years and I believe I tried the "Login as a different user" before and it used to prompt me for a username.


So here is /etc/gdm/custom.conf

# GDM configuration storage

[daemon]
# Uncoment the line below to force the login screen to use Xorg
AutomaticLogin=alpha
AutomaticLoginEnable=True
WaylandEnable=false

[security]

[xdmcp]

[greeter]

[chooser]

[debug]
# Uncomment the line below to turn on debugging
#Enable=true
This task depends upon

Closed by  Toolybird (Toolybird)
Monday, 29 May 2023, 03:25 GMT
Reason for closing:  No response
Additional comments about closing:  Plus it's old and stale. If still an issue, please report upstream.
Comment by Alphazo (alphazo) - Sunday, 07 May 2017, 09:52 GMT
If I change AutomaticLoginEnable to False then I can no longer bypass the lockscreen.
I hope there is way to turn it back on and avoid the bypass "feature".
Comment by .. (aldi) - Monday, 15 May 2017, 23:48 GMT
Hi there Alphazo,

I have found a similar bug of bypassing the User Lock Screen on Manjaro Deepin Linux which is based on Arch Linux.
But before double-posting I would like to provide you with the link of my Issue and the reproduction steps of the Bug so you can tell if we are talking about the same thing.

https://github.com/linuxdeepin/developer-center/issues/286

Also if you happen to reproduce this bug by mistake and it is not related to the bug I disclosed on the Manjaro Deepin Linux community you can use the command dmesg to show the debug messages from the kernel and paste that information here so the community can understand more easily what the bug is and maybe to reproduce the same results as yours.

Best regards,
Aldi!
Comment by Doug Newgard (Scimmia) - Tuesday, 16 May 2017, 14:22 GMT
Sounds pretty normal for automatic login.
Comment by Alphazo (alphazo) - Tuesday, 16 May 2017, 14:43 GMT
@Aldi, I don't think my issue is related to the issue you are observing since I don't have to press Enter multiple times, just click on the link below the password box.

@Doug, I don't find that behavior normal since unlocking a screenlock sounds rather different than login in as a different user. I have been using this setup for many years and unlocking the screen always used to require a password, and thus wathever link you are cliking on. I believe that this behavior has changed recently. To avoid misleading people, lockscreen should be either disabled completely, proper login/password should be enforced when clicking on "Login as a different user" or the link to "Login as a different user" disabled when using GDM's Automatic Login feature.
Comment by mattia (nTia89) - Sunday, 20 March 2022, 14:47 GMT
I cannot reproduce the issue. Is it still valid for you?

Loading...