GNOME Bugzilla – Bug 606703
gdm reveals which user names are valid or invalid without authenticating
Last modified: 2010-07-02 19:05:00 UTC
If you enter a valid account name, such as "root" or any other user, then hit return for the password it pops up "Authentication failed" If you enter an invalid account name, then hit return for the password, it pops up "No account present for user" GDM should not allow users to find out which account names are valid or invalid without authenticating. I understand that the face browser does expose some users, but this is still an issue for systems that do not have the face browser enabled. Also, even with the Face Browser, certain users are filtered or excluded, and users should not be able to find out information about such users. To fix, this problem, simply change the PAM_USER_UNKNOWN return code code from pam_authenticate to PAM_AUTH_ERR, as in the attached patch. Note that the old GDM worked this way. On receiving PAM_USER_UNKNOWN it would display the standard PAM_AUTH_ERR message.
Created attachment 151223 [details] [review] patch fixing issue
Comment on attachment 151223 [details] [review] patch fixing issue Thanks.
(In reply to comment #1) > Created an attachment (id=151223) [details] [review] > patch fixing issue Shouldn't + if (error_code = PAM_USER_UNKNOWN) { be + if (error_code == PAM_USER_UNKNOWN) { ??
Yes, thanks for catching this. I verified that the issue is fixed after making the change from "=" to "==", and put the fix back in master just now.