In some cases with timed login enabled, GDM will unlock a session for a different user than typed their password
Burghard Britzke reported to firstname.lastname@example.org that he has found a bug in GDM's timed login implementation.
Under the right circumstances, after the timed login timeout expires, a running session may get misassociated with the timed login user instead of the user that started the session. Further attempts to log in as the timed login user will instead unlock the misassociated user session.
This only affects X.org since, we kill the login screen on wayland after login.
Steps to reproduce:
- create two users bubi(1000) and user gast(1001)
- edit the
/etc/gdm/custom.confto enable timed login for the gast user
[daemon] TimedLoginEnable=true TimedLogin=gast TimedLoginDelay=10
- login as user bubi(1000)
- lock the screen
Login as different userbelow the password field
gastfrom the user list and enter the password for the
- notice that the
bubiuser is unlocked instead of the