Bug#1016004: lightdm: re-login possible without password after "dm-tool lock"
Package: lightdm
Version: 1.2.6.0-4
I have observed this unexpected behavior on a Raspberry Pi running an (always updated) vanilla Raspberry Pi OS.
Here is how to reproduce it:
* Use lightdm, have a user account with a passwort (no auto login used)
* start the computer
-> The login screen will show up after a while.
* log in with the username and the password (in the graphical user interface)
-> graphical user session will be displayed
* start a terminal, type: "dm-tool lock"
(It is a frequent hint in the internet to have a graphical shortcut for this commant in order to generate a "lock user session" functionality on the Raspi.)
-> The login screen appears again. (So far everything is fine.)
* Press Alt + Ctrl + F1
-> The console login will apear (just ignore it)
* Press Alt + Ctrl + F7
-> The graphical user session re-appears. But his happend without the need to type the user password!
Expectation of correct behavior:
I would expect to need to type the user password before I can re-access the user session after a "lock" of the user session.
I perceive this as a security bug, because the user session is not secured in the way the user probably expects it when he sees the re-login screen after his "lock" command. (My kids found this behavior when they tried all the keys on the keyboard in order to re-gain access to the computer having their favorite game installed.)
Let me know if you need further information on the behavior itself or on other installed packages on the computer.
Reply to: