GNOME Bugzilla – Bug 789638
Gnome Shell Allows for Unauthenticated logon from lock screen.
Last modified: 2017-11-01 13:51:49 UTC
I am running Ubuntu GNOME version 17.04. After logging on if I lock the screen and then try to log back on I am prompted with the unlock dialog as expected. However if I click the link at the bottom that says "Login as another user" the system unlocks *Without* entering credentials.
Thanks for reporting this. Which gnome-shell version is this about? How many other user accounts are configured?
Also: - is the session actually unlocked, or does gnome-shell crash? - are you using GDM, or are there patches to allow screen locking with LightDM?
I will try to address all of the questions as best I can. 1. Output of gnome-shell --version: GNOME Shell 3.24.2 2. I am the only user configured on the system 3. The session is unlocked as far as I can tell. I am taken back to my desktop and it does not appear to crash (ie. no crash report prompt or screen flashing) 4. I am using GDM3. The output of gdm3 --version: GDM 3.24.1 5. I am not sure about patches for lightdm but I don't think it is in play here.
After some additional testing, it appears that this behavior is only present when automatic login is enabled. So perhaps the shell is doing the right thing? Maybe. Not sure what happens if there is more than one user.
This actually is a bug, which was assigned CVE-2017-12164. See https://mail.gnome.org/archives/distributor-list/2017-September/msg00003.html *** This bug has been marked as a duplicate of bug 783779 ***