Message: previous - next
Month: November 2013

Re: [trinity-devel] Possible security glitch with switching users?

From: "Darrell Anderson" <darrella@...>
Date: Sat, 09 Nov 2013 18:06:02 -0600
>I don't know whether this is a security glitch or PEBKAC.
>I was testing the graphical login with TDM:
>* I logged in as User 1.
>* From the TDE menu I selected Switch User->Start New Session.
>* I logged in as User 2.
>* I switched to User 1 *without* needing a password.
>* I switched to User 2 and needed a password.
>* I typed the password, switched to User 1, and needed a password.
>I repeated this exercise three times with a system reboot each 
>time. Each time the first instance of switching did not require a 
>Further, I was not always asked for a password on subsequent 
>switching, especially when I used the keyboard toggles of Ctrl-Alt-
>F7 and Ctrl-Alt-F8.
>SAK is disabled.
>I only used Switch User->Start New Session. I did not use Switch 
>User->Lock Current & Start New Session.

BTW, seems to me there should be no password required when using 
'Start New Session' --- that is what the 'Lock Current & Start New 
Session' option should be for?