gdm

Notification popup before login -> app started w/o login

Bug #1920643 reported by fabtagon
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gdm
New
Unknown
gdm3 (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

== General pattern ==

In gdm login screen, while no one is logged in, notification popups are shown. An unauthenticated person at the keyboard can interact with these popups to start applications.

== Concrete Example ==

I've got a separate storage disk that is nearly full (just /storage with photos etc., / is on another device and has plenty of space). I get a notification popup 'Disk space is low on /storage.' with options to either 'ignore' or to 'examine' it (it's silly to notify me about shortage on this disk, but that's another topic). When I click 'examine' baobab is started as user gdm, as I can see in 'ps' on a console terminal'. It's not visible on screen, it's supposedly somewhere 'behind' the gdm screen.

== Expected behaviour ==

As long nobody is logged in, gdm doesn't start any applications.

I don't see much use for popups before login at all (imagine a popup 'New file Surprise_birthday_party_for_your_spouse_in_Wonderland_park.odt has been successfully synchronised'), but at least it should not be possible to start processes from these.

== Security implications ==

Even though the application is not visible in this case, the behaviour does not provide any use to the user. Contrarily, a popup targeting logged in users could unintentionally compromise security. Imagine e.g. a case where a popup allows the not-logged-in person in front of the machine to specify actions beyond starting a specific application (something like 'Problem with flux capacitor detected. Click here to run flux-fix, or here, to specify a custom command in popup input field').

This is just a light hint that there *might* be a security issue. There might be countermeasures (namely popups' general abilities) to prevent such a scenario. Please feel free to re-classify accordingly.

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: gdm3 3.36.3-0ubuntu0.20.04.3
ProcVersionSignature: Ubuntu 5.8.0-44.50~20.04.1-generic 5.8.18
Uname: Linux 5.8.0-44-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.16
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: X-Cinnamon
Date: Sat Mar 20 22:57:15 2021
InstallationDate: Installed on 2020-04-24 (329 days ago)
InstallationMedia: Ubuntu 20.04 LTS "Focal Fossa" - Release amd64 (20200423)
SourcePackage: gdm3
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
fabtagon (fabtagon) wrote :
Revision history for this message
Steve Beattie (sbeattie) wrote :

Thanks for the report. Making this public to get the Desktop team to take a look at this.

information type: Private Security → Public Security
Marc Deslauriers (mdeslaur)
Changed in gdm3 (Ubuntu):
status: New → Confirmed
Revision history for this message
Daniel van Vugt (vanvugt) wrote :

The only relevant upstream bug I can find is:

  https://gitlab.gnome.org/GNOME/gdm/-/issues/685

so maybe use that or open a new one to discuss the security implications:

  https://gitlab.gnome.org/GNOME/gdm/-/issues

Bug Watch Updater (bug-watch-updater)
Changed in gdm:
status: Unknown → New
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.