GNOME Bugzilla – Bug 707839
Add a timeout when entering the user password
Last modified: 2018-05-24 10:56:34 UTC
Hi, With the following scenario, a user can see his default session being changed by a 3rd party and this could be confusing for him. 1) A "rogue" user is clicking on a user on the list 2) He change the session of the user and leave without pressing escape or cancel 3) The user arrive in front of his computer 4) He sees that his user is already selected and enter his password 5) The session selected by the rogue user is not his default session. I think that adding a sensible timeout between 2) and 3) could mitigate this issue (without completely fixing it of course) What do you think?
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=721388#30 for the original bug report about this
With gdm 3.4, the problem also occurs when I cancel (e.g. by clicking on "Cancel") or enter a wrong password, and reselect my user (between (3) and (4) above). The user is actually preselected by default as being the only one on the machine (but I cannot see it due to a display bug), but I need to type [Enter] to select it and type my password: this is where I can see that the session is always the same as the one selected before canceling (whether this is the last session I used at the last successful login or not). Laurent cannot reproduce this, but he used gdm 3.8. So, a part of the problem may have been fixed between 3.4 and 3.8, and something else triggers the problem in the case where the user cancels first. A timeout would probably be OK. Something else that could be done: highlight the session name with a different color if it has been modified since the last successful login, so that the user can notice the change more easily. BTW: when the problem occurred for me, it seems that the session hasn't been changed by another user on purpose, but someone apparently played with the mouse and/or the keyboard (while the screen was off?).
(In reply to comment #2) > Laurent cannot reproduce this, but he used gdm 3.8. So, a part of the problem > may have been fixed between 3.4 and 3.8, and something else triggers the > problem in the case where the user cancels first. ...which likely means that somebody needs to identify that patch and Debian could backport it. There will not be any fixes for 3.4 upstream. Version 3.4.x which is too old and not supported anymore by GNOME developers. GNOME developers are no longer working on that older version, so unfortunately there will not be any bug fixes by GNOME developers for the version that you use. Please feel free to reopen this bug if the problem still occurs with a recent version of GNOME, or feel free to file a bug report in the bug tracking system of your Linux distribution if your distribution still supports your version 3.4.x
Well my initial bug here was to add a timeout if the user is not entering his password fast enough when in the login screen (that would also invalidate any changes made to the session of the user). So I guess it should be reopened
-- GitLab Migration Automatic Message -- This bug has been migrated to GNOME's GitLab instance and has been closed from further activity. You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.gnome.org/GNOME/gdm/issues/165.