Ubuntu
mate-session-manager package

Lock screen can be bypassed when auto-login is enabled via gnome-system-tools

Bug #1706770 reported by Chris Gavin
282
This bug affects 7 people
Affects Status Importance Assigned to Milestone
arctica-greeter (Ubuntu)
Invalid
Undecided
Unassigned
gnome-system-tools (Ubuntu)
Triaged
Undecided
Unassigned
lightdm (Ubuntu)
Invalid
Undecided
Unassigned
mate-screensaver (Ubuntu)
Invalid
Undecided
Unassigned
mate-session-manager (Ubuntu)
Invalid
High
Unassigned
ubuntu-mate-meta (Ubuntu)
Fix Released
Critical
Martin Wimpress 

Bug Description

16.04 LTS
=========

Hi,

My machine is set up with full-disk encryption, so it requires a password when I boot it up. Because of this I thought I would enable auto-login to avoid having to enter two passwords at boot.

When I leave my computer for short periods of time, I lock it. I thought this was working fine for a long time, but I've discovered the lock screen is actually easily bypassable when auto-login is enabled. All one has to do is click "Switch User" on the lock screen, then press "Unlock" and the computer unlocks without prompting for a password.

Perhaps this is just me being an idiot, but I thought this was secure until now. It seems like either unlocking should always require a password (otherwise what's the point of locking in the first place) or it should be made totally obvious that unlocking doesn't actually require a password (i.e. removing the password box from the lock screen when auto-login is enabled).

Thanks,
Chris

Etienne Papegnies (etienne-papegnies)
Changed in ubuntu-mate:
importance: Undecided → High
Martin Wimpress  (flexiondotorg)
Changed in mate-session-manager (Ubuntu):
importance: Undecided → High
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Hi! Can I make this bug public so more developers can see it?
Thanks!

Revision history for this message
Chris Gavin (chrisgavin) wrote :

That's fine with me.

Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Revision history for this message
Douglas Silva (o-alquimista) wrote :

Unable to reproduce this in Ubuntu MATE 17.04. I use full-disk encryption too and enabled auto-login as well.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lightdm (Ubuntu):
status: New → Confirmed
Changed in mate-session-manager (Ubuntu):
status: New → Confirmed
Revision history for this message
Chris Gavin (chrisgavin) wrote :

If it helps, I've reproduced this in a fresh Ubuntu Mate virtual machine.

1. Install Ubuntu Mate following all the usual steps until you get to the account creation screen.
2. Create a user account with a password and leave "require password at login" checked.
3. Finish installation and reboot.
4. Go to "System" -> "Administration" -> "Users and Groups".
5. Change password from "Asked on logon" to "Not asked on logon".
6. Lock your machine.
7. Press "Switch User".
8. Observe no password is required to unlock as the current user.

For some reason, the problem doesn't happen when you set your account to not require a password at installation. Even more oddly, the user account still shows "Asked on logon" for the user created at installation, even though the option to not require a password was checked, and seems to be effective at boot. I guess they must just be implemented in different ways.

Revision history for this message
Chris Gavin (chrisgavin) wrote :

After a bit more investigation, being in the `nopasswdlogin` group is what causes the switch-user screen to not ask for a password.

Having `autologin-user` set to your username in /etc/lightdm/lightdm.conf is what works correctly.

Rudra Saraswat (rs2009)
Changed in ubuntu-mate:
status: New → Confirmed
information type: Public Security → Private Security
Alex Murray (alexmurray)
information type: Private Security → Public Security
Rudra Saraswat (rs2009)
Changed in lightdm (Ubuntu):
status: Confirmed → Fix Committed
Norbert (nrbrtx)
tags: added: xenial
Revision history for this message
bpiero (bpiero) wrote :

Dammit! I cant believe this level of lack of security could happen in this project. WHAT A SHAME!

Revision history for this message
Philippe (philippe734) wrote :

#6 Chris quote:
4. Go to "System" -> "Administration" -> "Users and Groups".
5. Change password from "Asked on logon" to "Not asked on logon".
6. Lock your machine.
7. Press "Switch User".
8. Observe no password is required to unlock as the current user.

I confirm this issue on Ubuntu Mate 20.04.0 in a virtual machine. I can reproduce it each times.

Norbert (nrbrtx)
tags: added: bionic focal
Martin Wimpress  (flexiondotorg)
no longer affects: ubuntu-mate
Changed in mate-session-manager (Ubuntu):
status: Confirmed → Invalid
Martin Wimpress  (flexiondotorg)
Changed in lightdm (Ubuntu):
status: Fix Committed → Invalid
Changed in arctica-greeter (Ubuntu):
status: New → Invalid
Changed in gnome-system-tools (Ubuntu):
status: New → Confirmed
status: Confirmed → Triaged
Changed in mate-screensaver (Ubuntu):
status: New → Invalid
Changed in ubuntu-mate-meta (Ubuntu):
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Martin Wimpress  (flexiondotorg)
Revision history for this message
Martin Wimpress  (flexiondotorg) wrote :

This issue is caused by the Users and Groups utility which is part of `gnome-system-tools`. When changing the password from "Asked on logon" to "Not asked on logon" the user is added to the `nopasswdlogin` group and this is what causes the switch-user screen to not ask for a password.

If you select the option to not require a password to login during installation, it is not possible to bypass authentication when switching users. This is because `autologin-user` is set to your username in `/etc/lightdm/lightdm.conf` and that works correctly.

`gnome-system-tools` was originally included in Ubuntu MATE because it offers user and time management features. But it can now be removed from the Ubuntu MATE default install because recent versions of MATE Control Center provide user and time management.

Changed in ubuntu-mate-meta (Ubuntu):
status: Triaged → In Progress
summary: - Lock screen can be bypassed when auto-login is enabled.
+ Lock screen can be bypassed when auto-login is enabled via gnome-system-
+ tools
Martin Wimpress  (flexiondotorg)
Changed in ubuntu-mate-meta (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package ubuntu-mate-meta - 1.282

---------------
ubuntu-mate-meta (1.282) jammy; urgency=medium

  * Refreshed dependencies
  * Removed gnome-system-tools from core-recommends, desktop-recommends
    (LP: #1706770)

 -- Martin Wimpress <email address hidden> Sat, 09 Apr 2022 01:01:57 +0100

Changed in ubuntu-mate-meta (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.