GNOME Bugzilla – Bug 783779
(CVE-2017-12164) Lock screen password bypass by trying to log as another user
Last modified: 2017-11-01 13:51:49 UTC
I have only one user in my machine (apart from root), and I have the account set to ask for password on screen lock. But when I click the link in the lock screen to log as another user, the lock screen goes away and I can continue my session as usual, without even needing to provide the password. I could replicate this on a fairly standard Ubuntu GNOME 17.04 installation, with GNOME 3.24.1. It doesn't happen on previous or later GNOME versions.
Created attachment 353823 [details] video repro Attached video of the issue.
looks like a regression caused by the fix for bug 780520. we no longer set ran_once to TRUE after the greeter is started, so we try to autologin when user switching which succeeds and immediately unlocks the screen
fix should be to check for is_initial in addition to ran_once when deciding whether or not to autologin
Created attachment 359561 [details] [review] manager: don't allow autologin from transient displays In theory, we're only only supposed to allow autologin the first time a session is run, but we only count a session run, once it's finished. This means that if a user creates a transient session to user switch, before they've logged out the first time at boot up, that transient session will begin autologin as well (which actually gets treated as an auto unlock). This commit makes sure autologin is only ever run on the initial display.
Attachment 359561 [details] pushed as 798be42 - manager: don't allow autologin from transient displays
*** Bug 789638 has been marked as a duplicate of this bug. ***