2015-01-22 23:01:21 |
Andrea Azzarone |
bug |
|
|
added bug |
2015-01-22 23:01:35 |
Andrea Azzarone |
bug task added |
|
unity (Ubuntu) |
|
2015-01-22 23:01:46 |
Andrea Azzarone |
bug task deleted |
unity (Ubuntu) |
|
|
2015-01-22 23:02:00 |
Andrea Azzarone |
bug task added |
|
lightdm (Ubuntu) |
|
2015-01-22 23:03:44 |
Andrea Azzarone |
description |
Lightdm should not emit logind "unlock" signal when the user is not prompted for a password. This can lead to a security issue:
# Log-in (unity session).
# Add the current user to nopasswdlogin group.
# Lock the sessions.
# Session indicator->Switch account...
# "Login" in again.
Expected behavior:
The lockscreen is still active.
Current behavior:
The session in unlocked.
We could work around the issue directly in unity, but IMHO would be cleaner to avoid that lightdm is emitting the logind signal. |
Lightdm should not emit logind "unlock" signal when the user is not prompted for a password. This can lead to a security issue:
# Log-in (unity session).
# Add the current user to nopasswdlogin group.
# Lock the sessions.
# Session indicator->Switch account...
# "Login" in again.
Expected behavior:
The lockscreen is still active.
Current behavior:
The session in unlocked.
We could workaround the issue directly in unity, but IMHO would be cleaner to avoid that lightdm is emitting the logind signal. |
|
2015-01-22 23:17:23 |
Andrea Azzarone |
bug task added |
|
gnome-session (Ubuntu) |
|
2015-01-22 23:18:41 |
Andrea Azzarone |
bug task added |
|
unity |
|
2015-01-23 10:14:49 |
Andrea Azzarone |
summary |
Lightdm should not emit logind "unlock" signal when the user is in nopasswdlogin group. |
It's possible to bypasss lockscreen if user is in nopasswdlogin group. |
|
2015-01-23 10:18:58 |
Launchpad Janitor |
branch linked |
|
lp:~andyrock/unity/lp-1413790 |
|
2015-01-23 10:24:10 |
Andrea Azzarone |
bug task added |
|
unity (Ubuntu) |
|
2015-01-23 10:24:17 |
Andrea Azzarone |
bug task deleted |
gnome-session (Ubuntu) |
|
|
2015-01-23 10:24:23 |
Andrea Azzarone |
unity: milestone |
|
7.3.1 |
|
2015-01-23 10:24:27 |
Andrea Azzarone |
unity: assignee |
|
Andrea Azzarone (andyrock) |
|
2015-01-23 10:24:30 |
Andrea Azzarone |
unity (Ubuntu): assignee |
|
Andrea Azzarone (andyrock) |
|
2015-01-23 10:24:35 |
Andrea Azzarone |
unity: status |
New |
In Progress |
|
2015-01-23 10:24:38 |
Andrea Azzarone |
unity (Ubuntu): status |
New |
In Progress |
|
2015-01-23 12:48:41 |
Marc Deslauriers |
information type |
Private Security |
Public |
|
2015-01-23 15:56:23 |
Andrea Azzarone |
lightdm (Ubuntu): status |
New |
Invalid |
|
2015-01-23 15:56:31 |
Andrea Azzarone |
lightdm: status |
New |
Invalid |
|
2015-01-27 02:31:54 |
Robert Ancell |
bug task deleted |
lightdm (Ubuntu) |
|
|
2015-01-27 02:32:01 |
Robert Ancell |
bug task deleted |
lightdm |
|
|
2015-01-28 19:51:55 |
Launchpad Janitor |
unity (Ubuntu): status |
In Progress |
Fix Released |
|
2015-01-28 23:26:52 |
Andrea Azzarone |
unity: status |
In Progress |
Fix Committed |
|
2015-02-11 16:17:00 |
Stephen M. Webb |
unity: status |
Fix Committed |
Fix Released |
|
2015-03-11 19:14:26 |
Stephen M. Webb |
nominated for series |
|
unity/7.2 |
|
2015-03-11 19:14:26 |
Stephen M. Webb |
bug task added |
|
unity/7.2 |
|
2015-03-11 19:14:37 |
Stephen M. Webb |
unity/7.2: milestone |
|
7.2.5 |
|
2015-03-11 19:19:00 |
Stephen M. Webb |
unity/7.2: status |
New |
In Progress |
|
2015-03-11 19:19:03 |
Stephen M. Webb |
unity/7.2: importance |
Undecided |
Medium |
|
2015-03-11 19:19:05 |
Stephen M. Webb |
unity: importance |
Undecided |
Medium |
|
2015-03-11 19:19:07 |
Stephen M. Webb |
unity/7.2: assignee |
|
Stephen M. Webb (bregma) |
|
2015-03-11 19:19:09 |
Stephen M. Webb |
unity (Ubuntu): importance |
Undecided |
Medium |
|
2015-03-11 19:19:34 |
Stephen M. Webb |
nominated for series |
|
Ubuntu Trusty |
|
2015-03-11 19:21:22 |
Launchpad Janitor |
branch linked |
|
lp:~bregma/unity/lp-1413790-trusty |
|
2015-03-18 02:14:21 |
Stephen M. Webb |
unity (Ubuntu Trusty): status |
New |
In Progress |
|
2015-03-18 02:14:29 |
Stephen M. Webb |
unity (Ubuntu Trusty): importance |
Undecided |
Medium |
|
2015-03-18 02:14:32 |
Stephen M. Webb |
unity (Ubuntu Trusty): assignee |
|
Stephen M. Webb (bregma) |
|
2015-03-18 02:19:14 |
Stephen M. Webb |
description |
Lightdm should not emit logind "unlock" signal when the user is not prompted for a password. This can lead to a security issue:
# Log-in (unity session).
# Add the current user to nopasswdlogin group.
# Lock the sessions.
# Session indicator->Switch account...
# "Login" in again.
Expected behavior:
The lockscreen is still active.
Current behavior:
The session in unlocked.
We could workaround the issue directly in unity, but IMHO would be cleaner to avoid that lightdm is emitting the logind signal. |
[IMPACT]
A user is presented with a password dialog even if a member of the nopasswdlogin group (and may not have a password).
[TEST CASE]
(1) Create a test user.
(2) Add the test user to the nopasswdlogin group.
(3) Log in to a Unity session using that acocunt.
(4) Lock the screen.
(5) Attempt to unlock the screen: no password prompt should be presented.
[REGRESSION POTENTIAL]
Conceivably allowing a login with no authentication could present unexpected vulnerabilities in which unforseen code paths also exercise this function. Care has been taken by the developer to avoid such cases.
[OTHER INFO]
The fix for Ubuntu 14.04 LTS was cherry picked from the Ubuntu "Vivid Vervet" dev release where it has been in production use for some time without apparent regression. |
|
2015-03-18 19:50:29 |
Stefano Bagnatica |
bug |
|
|
added subscriber Stefano Bagnatica |
2015-04-08 08:39:03 |
Adam Conrad |
unity (Ubuntu Trusty): status |
In Progress |
Fix Committed |
|
2015-04-08 08:39:05 |
Adam Conrad |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2015-04-08 08:39:10 |
Adam Conrad |
bug |
|
|
added subscriber SRU Verification |
2015-04-08 08:39:14 |
Adam Conrad |
tags |
|
verification-needed |
|
2015-04-11 14:28:44 |
Mateusz Stachowski |
tags |
verification-needed |
verification-done |
|
2015-04-15 20:04:42 |
Launchpad Janitor |
unity (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
2015-04-15 20:06:27 |
Chris J Arges |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2015-04-16 16:23:33 |
Christopher Townsend |
unity/7.2: milestone |
7.2.5 |
7.2.6 |
|