Wingpanel

switchboard and firefox available from lock screen

Bug #1502918 reported by Sam Thomas on 2015-10-05

282

This bug affects 6 people

	Status	Importance	Assigned to	Milestone
Wingpanel	Fix Released	Critical	Djax	Wingpanel 0.4
Wingpanel Bluetooth Indicator	Fix Released	Critical	Mike Seese	Wingpanel Bluetooth Indicator 2.0
Wingpanel Network Indicator	Fix Released	Critical	Unassigned	Wingpanel Network Indicator 2.0
Wingpanel Power Indicator	Fix Released	Critical	Felipe Escoto	Wingpanel Power Indicator 2.0

Bug Description

It is possible to open both switchboard and firefox from the lock screen using the new indicators. In order to do this, open the network indicator, and click "Network Settings...". This will open a switchboard panel to the network settings. Go back and then go to the "About" plug. Then click on the "Website" link. This opened firefox for me. I don't know why it chose firefox because I have other browsers installed and firefox is not set to the default browser. It is impossible to type in this window so it would be hard to do much, but I am going to mark this as a security vulnerability.

Related branches

lp://staging/~philip.scott/wingpanel-indicator-power/hide-settings-in-greeter

Merged into lp://staging/~wingpanel-devs/wingpanel-indicator-power/trunk at revision 127

WingPanel Devs: Pending requested 2016-02-10

lp://staging/~seesemichaelj/wingpanel-indicator-bluetooth/bluetooth-switchboard-access-from-lock

Merged into lp://staging/~wingpanel-devs/wingpanel-indicator-bluetooth/trunk at revision 26

Adam Bieńkowski (community): Approve (code) on 2016-02-12

Danielle Foré (danrabbit) on 2015-10-22

information type:	Public → Public Security
Changed in pantheon-greeter:
milestone:	none → loki-beta1

Revision history for this message

Sam Thomas (sgpthomas) wrote on 2015-10-24:

I played around with the bug a little more and it's more serious than I thought. By opening a private window, I was able to type. By typing 'file://' I was able to get access to the entire file system and was able to launch applications from here. I was able to launch scratch and libreoffice. It only gives you the option to open files with the default application and it doesn't look like the Lightdm user has permissions to open files containing password information such as /etc/shadow.

Revision history for this message

Danielle Foré (danrabbit) wrote on 2015-10-24:

I can confirm that you can access a browser with this method from the network and power indicators.

It looks like the greeter user has full read access to other users' files. This means that (for example) I can go look at other users' pictures from the lock screen. That's a huge privacy flaw.

In addition to removing the ability to get to a browser in this way, we probably need to look into sandboxing the greeter user much better. Make sure it can't read other users' files, make sure it can't launch any unnecessary apps, etc.

Changed in wingpanel-indicator-network:
status:	New → Confirmed
Changed in wingpanel-indicator-power:
status:	New → Confirmed
milestone:	none → loki-beta1
Changed in wingpanel-indicator-network:
milestone:	none → loki-beta1
importance:	Undecided → Critical
Changed in wingpanel-indicator-power:
importance:	Undecided → Critical
Changed in elementaryos:
status:	New → Confirmed
importance:	Undecided → Critical
milestone:	none → loki-beta1

Fabian Thoma (fabianthoma) on 2015-10-25

Changed in pantheon-greeter:
status:	New → Confirmed
importance:	Undecided → Critical

xapantu (xapantu) on 2015-11-03

Changed in wingpanel-indicator-network:
status:	Confirmed → Fix Committed

Danielle Foré (danrabbit) on 2015-11-03

Changed in wingpanel-indicator-network:
milestone:	loki-beta1 → loki-alpha1

Cody Garver (codygarver) on 2016-02-10

Changed in wingpanel-indicator-power:
assignee:	nobody → Felipe Escoto (philip.scott)
milestone:	loki-beta1 → loki-alpha1
status:	Confirmed → Fix Committed

Cody Garver (codygarver) on 2016-02-10

affects:	pantheon-greeter → wingpanel
Changed in wingpanel:
milestone:	loki-beta1 → none
assignee:	nobody → Djax (parnold-x)
milestone:	none → loki-alpha1
status:	Confirmed → Fix Committed

Cody Garver (codygarver) on 2016-02-10

Changed in wingpanel-indicator-bluetooth:
importance:	Undecided → Critical
milestone:	none → loki-beta1
status:	New → Confirmed

Cody Garver (codygarver) on 2016-02-11

no longer affects:

elementaryos

Mike Seese (seesemichaelj) on 2016-02-12

Changed in wingpanel-indicator-bluetooth:
assignee:	nobody → Mike Seese (seesemichaelj)

Cody Garver (codygarver) on 2016-02-12

Changed in wingpanel-indicator-bluetooth:
status:	Confirmed → In Progress

Felipe Escoto (philip.scott) on 2016-02-15

Changed in wingpanel-indicator-bluetooth:
status:	In Progress → Fix Committed

Cody Garver (codygarver) on 2016-02-15

Changed in wingpanel-indicator-bluetooth:
milestone:	loki-beta1 → loki-alpha1

Danielle Foré (danrabbit) on 2016-06-13

Changed in wingpanel:
status:	Fix Committed → Fix Released

Cody Garver (codygarver) on 2016-08-14

Changed in wingpanel-indicator-bluetooth:
milestone:	loki-alpha1 → 2.0
status:	Fix Committed → Fix Released

Cody Garver (codygarver) on 2016-08-14

Changed in wingpanel-indicator-network:
status:	Fix Committed → Fix Released

Cody Garver (codygarver) on 2016-08-14

Changed in wingpanel-indicator-power:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

Duplicates of this bug

Bug #1524117

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.