https://bugs.kde.org/show_bug.cgi?id=410772
Bug ID: 410772
Summary: Lock screen breakages provide insecure instructions
Product: kscreenlocker
Version: unspecified
Platform: Other
OS: Linux
Status: REPORTED
Severity: normal
Priority: NOR
Component: general
Assignee: plasma-b...@kde.org
Reporter: sciencema...@gmail.com
CC: bhus...@gmail.com
Target Milestone: ---
SUMMARY
When the screen locker breaks it provides instructions to the user on how to
switch to a virtual terminal and unlock the screen from there. It looks like
there are a couple different versions of the instructions depending on the
session system being used.
See:
https://github.com/KDE/kscreenlocker/blob/fb21221ad0940af3dc50be96de16b5a9e065d53c/abstractlocker.cpp#L56
This idea is really cool, especially because the instructions seem to be
carefully written in such a way that someone with very little linux knowledge
could execute them, which is awesome. Unfortunately the instructions don't tell
the user to log out of the virtual terminal. Users who don't know they should
do that, or don't know how will now have a virtual terminal logged in to their
machine until the next time it restarts. This would allow a malicious person to
simply walk up to the machine while the user was away, switch terminals, and
have full access to the machine. This is particularly dangerous for one of the
sets of instructions that asks your to log in as root.
STEPS TO REPRODUCE
Somehow break the login screen. I don't know how to do this. I am not sure why
mine broke in the first place.
OBSERVED RESULT
The instructions on the screen, if followed correctly, have the user leave a
logged in virtual terminal that anyone could use without a password.
EXPECTED RESULT
Pretty much the same instructions, with the same command, but with " & logout"
on the end of the command.
SOFTWARE/OS VERSIONS
Doesn't matter it's in the code and it's been there for a while.
--
You are receiving this mail because:
You are watching all bug changes.
