Ubuntu
gksu package

Security issue - I can bypass the password login with Caps Lock.

Bug #1789700 reported by Alex
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gksu (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

When booting, if I press Caps Lock on my keyboard until the caps confirmation light turns on (this happens just after the bit in boot where it shows a load of green and white loading text), it then doesn't prompt me for a password to log in - it just logs right in with no password. I expect to have to use a password to login every time and for this to stop anyone from getting to my files, but by pressing caps lock, it boots like I have set the computer not to require login details.

Using Ubuntu 16.04 LTS

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: gksu (not installed)
ProcVersionSignature: Ubuntu 4.15.0-33.36~16.04.1-generic 4.15.18
Uname: Linux 4.15.0-33-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.18
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Aug 29 18:06:55 2018
InstallationDate: Installed on 2017-07-15 (409 days ago)
InstallationMedia: Ubuntu 16.04.2 LTS "Xenial Xerus" - Release amd64 (20170215.2)
ProcEnviron:
 LANGUAGE=en_GB:en
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_GB.UTF-8
 SHELL=/bin/bash
SourcePackage: gksu
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Alex (tom-silver) wrote :
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. To help identifying the problem we need some more information.
Are you able to reproduce it easily?
Can you provide more information on the exact steps to reproduce it?
Is it something that appeared after an upgrade or not?
Could you also share logs after reproducing it? (for more information on how to do this, please see https://help.ubuntu.com/community/ReportingBugs)

I appreciate your help on this!
Please feel free to report any other bugs you may find.

Changed in gksu (Ubuntu):
status: New → Incomplete
Revision history for this message
Alex (tom-silver) wrote :

Hi,

Many thanks for your kind time on this matter, I have tried to recreate it and although it was happening consistently over the week prior to getting up the nerve up to make a report, it is now no longer happening.

I am sorry to have wasted your time.

There are two things that happened that may have cleared the bug:

1) There was an OS security update on the day you responded that may have cleared whatever bug it was...?

2) I looked in my User Account and changed the setting regarding if you need a password to log in... To explain this, I had my settings to ask for a password on login and also when waking from sleep, waking the screen etc. When the Caps Lock issue was happening, I was under the impression the settings were as I made them, because when I didn't press Caps Lock it would ask for password on login. But looking in my user account it was set to automatically sign in... Again, I was under the impression that I had set this to ask for password and it did if I didn't press caps-lock while the computer was booting... I deactivated automatic login and the Caps Lock problem went away, I can no longer bay-pass password login. I reactivated automatic sign in to see if it would still ask me to log-in with a password, and it now no longer prompts me for a password on booting up.

Please again accept my sincerest apologies for any concern caused by this matter, I will continue to monitor this to see if either the Caps-Lock issues or the password prompt reappears if I've got it set not to ask for password on login.

Many thanks for your kind time,
Alex.

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hi Alex,

Thanks again taking the time to report the current status and helping to make Ubuntu better.

Based on your comment I will be closing this ticket, but if this problem starts to happen again, please feel free to report it in a new ticket and we will make sure to investigate it! :)

We appreciate your support!

Eduardo Barretto (ebarretto)
Changed in gksu (Ubuntu):
status: Incomplete → Invalid
information type: Private Security → Public Security
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.