After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 606703 - gdm reveals which user names are valid or invalid without authenticating
gdm reveals which user names are valid or invalid without authenticating
Status: RESOLVED FIXED
Product: gdm
Classification: Core
Component: general
2.29.x
Other All
: Normal normal
: ---
Assigned To: Brian Cameron
GDM maintainers
Depends on:
Blocks:
 
 
Reported: 2010-01-12 05:39 UTC by Brian Cameron
Modified: 2010-07-02 19:05 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
patch fixing issue (852 bytes, patch)
2010-01-12 05:39 UTC, Brian Cameron
committed Details | Review

Description Brian Cameron 2010-01-12 05:39:18 UTC
If you enter a valid account name, such as "root" or any other user, then hit return for the password it pops up "Authentication failed"

If you enter an invalid account name, then hit return for the password, it pops up "No account present for user"

GDM should not allow users to find out which account names are valid or invalid without authenticating. 

I understand that the face browser does expose some users, but this is still an issue for systems that do not have the face browser enabled.  Also, even with the Face Browser, certain users are filtered or excluded, and users should not be able to find out information about such users.

To fix, this problem, simply change the PAM_USER_UNKNOWN return code code from
pam_authenticate to PAM_AUTH_ERR, as in the attached patch.

Note that the old GDM worked this way.  On receiving PAM_USER_UNKNOWN it would display the standard PAM_AUTH_ERR message.
Comment 1 Brian Cameron 2010-01-12 05:39:51 UTC
Created attachment 151223 [details] [review]
patch fixing issue
Comment 2 Ray Strode [halfline] 2010-01-12 16:49:21 UTC
Comment on attachment 151223 [details] [review]
patch fixing issue

Thanks.
Comment 3 Nelson Benitez 2010-01-14 16:36:19 UTC
(In reply to comment #1)
> Created an attachment (id=151223) [details] [review]
> patch fixing issue

Shouldn't

+                if (error_code = PAM_USER_UNKNOWN) {

be

+                if (error_code == PAM_USER_UNKNOWN) {

??
Comment 4 Brian Cameron 2010-01-15 16:45:03 UTC
Yes, thanks for catching this.  I verified that the issue is fixed after making the change from "=" to "==", and put the fix back in master just now.