Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • G gdm
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 559
    • Issues 559
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 10
    • Merge requests 10
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • GNOMEGNOME
  • gdm
  • Issues
  • #460
Closed
Open
Issue created Feb 05, 2019 by Ray Strode@halflineMaintainer

In some cases with timed login enabled, GDM will unlock a session for a different user than typed their password

Burghard Britzke reported to security@gnome.org that he has found a bug in GDM's timed login implementation.

Under the right circumstances, after the timed login timeout expires, a running session may get misassociated with the timed login user instead of the user that started the session. Further attempts to log in as the timed login user will instead unlock the misassociated user session.

This only affects X.org since, we kill the login screen on wayland after login.

Steps to reproduce:

  1. create two users bubi(1000) and user gast(1001)
  2. edit the [daemon] section of /etc/gdm/custom.conf to enable timed login for the gast user
[daemon]
TimedLoginEnable=true
TimedLogin=gast
TimedLoginDelay=10
  1. restart
  2. login as user bubi(1000)
  3. lock the screen
  4. select Login as different user below the password field
  5. select gast from the user list and enter the password for the gast user
  6. notice that the bubi user is unlocked instead of the gast user
Assignee
Assign to
Time tracking