GNOME Bugzilla – Bug 692627
pKill -9 gnome-shell allow one to log on the computer without entering password
Last modified: 2013-01-27 11:20:40 UTC
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20100101 Firefox/17.0 Build Identifier: Description of problem: If TTY terminal is already logged in, anyone having physical access to the keyboard can bypass the lock screen. Version-Release number of selected component (if applicable): Fedora 18 GNOME Shell 3.6.2 How reproducible: Login tty2, come back to graphical session (TTY1), lock screen, kill gnome-shell session, restart it specifying correct display, comme back to TTY1, you're logged. Reproducible: Always Steps to Reproduce: 1. Log in gnome-shell session at startup 2. Go to TTY2 (Ctrl+Alt+F2), log same user 3. Come back to TTY1 (Ctrl+Alt+F1) 4. Lock screen (Ctrl+Alt+l) 5. Go back to TTY2 and execute following command: $ pkill -9 gnome-shell && /usr/bin/gnome-shell -r -d :0 6. Come back to TTY1 Actual Results: I've bypassed the lock screen and got logged in. Expected Results: Should come back on locked screen. This bug is conditionned to user misattention but in some case, if TTY2 is already logged in, anyone can access to the graphical session. I believe this is a severe security issue. Same bug is already registered in Fedora bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=901586
This is not a security issue. If you have access as the logged in account, you can ptrace gnome-shell and inject arbitrary JS commands. Or you can force unlock the shield using the DBus API. Or you can just run whatever malicious command you wanted to do (including, say, xwd, if you're after the contents of the screen) from the terminal. Anyway, we do want to restore lockedness after a shell restart. Thanks for the bug report. This particular bug has already been reported into our bug tracking system, but please feel free to report any further bugs you find. *** This bug has been marked as a duplicate of bug 691987 ***