The commands 'dm-tool lock' && 'dm-tool switch-to-greeter' appear to lock the screen (eg prompt for a password from the user) are both easily bypassed when switching to a TTY and back to X (eg 'Alt+Ctrl+F1, Alt+Ctrl+F7'). This has been raised many times but marked wontfix by vendor. It's been raised by multiple people as early as 2013 (and probably earlier) and in some cases can be used to bypass lock screens in real world scenarios. To Reproduce: - Use LightDM as login manager w/ Openbox (also confirmed on Ubuntu 16.10 w/ Unity). - Lock the screen via command 'dm-tool lock' or 'dm-tool switch-to-greeter' which prompts for a password. - Press Alt+Ctrl+F1, Alt+Ctrl+F7 Bug Reports: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1338814 https://bugs.launchpad.net/ubuntu/+source/lxsession/+bug/1205384 https://ubuntuforums.org/showthread.php?t=2224690 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=740163
From Bug reports I can see that issues were already resolved. @Maintainer, could you please confirm if we need to do something here? Thank you, Gentoo Security Padawan ChrisADR
After searching a bit I found upstream released a fix for this issue in lxsession. From URL: >Replace unfinished lightdm method in lxlock by xscreensaver method, which also >auto start the daemon if it's not running Fixed version is available in lxsession 0.5.3 @Maintainers please ready for stabilization. Gentoo Security Padawan ChrisADR
(In reply to Christopher Díaz Riveros from comment #2) > After searching a bit I found upstream released a fix for this issue in > lxsession. > > From URL: > > >Replace unfinished lightdm method in lxlock by xscreensaver method, which also > >auto start the daemon if it's not running > > Fixed version is available in lxsession 0.5.3 > > @Maintainers please ready for stabilization. > > Gentoo Security Padawan > ChrisADR It was tagged for 0.5.2 as well and is present in the tarball.
