[Bug 622083] New: lxsession-logout should lock the screen before suspending/hibernating/switching users
http://bugzilla.novell.com/show_bug.cgi?id=622083 http://bugzilla.novell.com/show_bug.cgi?id=622083#c0 Summary: lxsession-logout should lock the screen before suspending/hibernating/switching users Classification: openSUSE Product: openSUSE 11.3 Version: Final Platform: Other OS/Version: openSUSE 11.3 Status: NEW Severity: Normal Priority: P5 - None Component: LXDE AssignedTo: andrea@opensuse.org ReportedBy: guido+opensuse.org@berhoerster.name QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.4) Gecko/20100611 Firefox/3.6.4 lxsession-logout currently does not lock the screen before suspending/hibernating/switching users which is a security and privacy issue. Reproducible: Always Steps to Reproduce: 1. 2. 3. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c
Guido Berhörster
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c1
--- Comment #1 from Guido Berhörster
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c
andrea florio
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c2
andrea florio
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c3
Christian Dengler
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c4
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c5
--- Comment #5 from Matthias Weckbecker
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c
Matthias Weckbecker
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c
Matthias Weckbecker
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c6
andrea florio
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c
andrea florio
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c7
Christoph Wickert
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c8
--- Comment #8 from Guido Berhörster
I'm also having problems with the patch:
- The patch hardcodes the preferred screensaver.
- It doesn't only check which screensaver is installed, but not which one is actually running (similar to http://bugzilla.xfce.org/show_bug.cgi?id=3791)
- If the screensaver is installed but not running, locking will fail: $ xscreensaver-command -lock xscreensaver-command: no screensaver is running on display :0.0 $ gnome-screensaver-command --lock ** Message: Screensaver is not running!
Hmm, all three points could be addressed by checking the exit code, I'll rework the patch tomorrow.
- AFAIK newer versions of gnome-screensaver require a running gnome-session and therefore will not work inside an LXDE session.
No, it works just fine.
- Why not use xdg-screensaver?
Because it suffers from the same problems as my patch. It checks whether xscreensaver is running and otherwise uses the screensaver of the currently running desktop environment which will fail if another screensaver is running. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c9
--- Comment #9 from andrea florio
Has anybody tried to contact LXDE upstream? I don't see this in their tracker, although I have admin privileges. I consider requesting a CVE without contacting upstream first is bad.
i had no time, here upstream bugreport https://sourceforge.net/tracker/?func=detail&aid=3030798&group_id=180858&atid=894869 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c10
--- Comment #10 from Christoph Wickert
Hmm, all three points could be addressed by checking the exit code, I'll rework the patch tomorrow.
I guess the first point can be fixed by checking for the running screensaver and consider it's the preferred one. Problems 1 and 2 solved, this leaves number 3: One could also argue that if no screensaver is running, locking is not desired and thus should not happen. I very much tend to agree to that logic.
- AFAIK newer versions of gnome-screensaver require a running gnome-session and therefore will not work inside an LXDE session.
No, it works just fine.
OK, the problems I was thinking of just affect the timed screensaving, not the manual one.
- Why not use xdg-screensaver?
Because it suffers from the same problems as my patch. It checks whether xscreensaver is running and otherwise uses the screensaver of the currently running desktop environment which will fail if another screensaver is running.
Ok, fair enough. It would be nice to have some kind of configuration for the preferred screensaver, but lxsession is definitely not the right place. Last but not least: Checking for the running screensaver should be multi-seat save, e.g. if another user runs a screensaver but I'm not, it shouldn't lock my session if I suspend/hibernate. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c11
Guido Berhörster
Ok, fair enough. It would be nice to have some kind of configuration for the preferred screensaver, but lxsession is definitely not the right place.
Last but not least: Checking for the running screensaver should be multi-seat save, e.g. if another user runs a screensaver but I'm not, it shouldn't lock my session if I suspend/hibernate.
Checking for the running screensaver through the process list is impossible to do in a portable way and error-prone. I think going through a list of locking commands and checking the exit code to see which one succeeds is more simple and solid. Does this look acceptable for inclusion upstream? If yes, I'll put a patch for the current git version in the SF.net bugtracker and re-submit to Factory and 11.3 Updates later. BTW, this should be changed in XFCE and xdg-screensaver as well. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c12
andrea florio
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c13
Guido Berhörster
guido, please continue on the sf tracker linked on comment #9
feel free to commit fixed patch into X11:lxde when ready so that i can finally submit fixed package
Don't worry, I'll take care of submitting this to Factory and 11.3 Updates today. It would just be nice to have upstream comment on this solution. I'll submit a patch against the git version on the upstream tracker. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c14
--- Comment #14 from andrea florio
Don't worry, I'll take care of submitting this to Factory and 11.3 Updates today. It would just be nice to have upstream comment on this solution. I'll submit a patch against the git version on the upstream tracker.
i'm sorry i need to do it, there is another pending fix for lxsession that must
be submitted with that one as well, so please just write here when the patch is
ready to be submitted
--- Comment #15 from andrea florio
Don't worry, I'll take care of submitting this to Factory and 11.3 Updates today. It would just be nice to have upstream comment on this solution. I'll submit a patch against the git version on the upstream tracker.
i'm sorry i need to do it, there is another pending fix for lxsession that must be submitted with that one as well, so please just write here when the patch is ready to be submitted -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c14
--- Comment #14 from andrea florio
Don't worry, I'll take care of submitting this to Factory and 11.3 Updates today. It would just be nice to have upstream comment on this solution. I'll submit a patch against the git version on the upstream tracker.
i'm sorry i need to do it, there is another pending fix for lxsession that must
be submitted with that one as well, so please just write here when the patch is
ready to be submitted
--- Comment #15 from andrea florio
Don't worry, I'll take care of submitting this to Factory and 11.3 Updates today. It would just be nice to have upstream comment on this solution. I'll submit a patch against the git version on the upstream tracker.
i'm sorry i need to do it, there is another pending fix for lxsession that must be submitted with that one as well, so please just write here when the patch is ready to be submitted -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c16
--- Comment #16 from Guido Berhörster
i'm sorry i need to do it, there is another pending fix for lxsession that must be submitted with that one as well, so please just write here when the patch is ready to be submitted
OK, new patch is in X11:lxde, feel free to proceed. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c17
--- Comment #17 from andrea florio
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c18
--- Comment #18 from Christoph Wickert
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c19
--- Comment #19 from andrea florio
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c20
--- Comment #20 from Guido Berhörster
We have a problem now: This breaks user-switching. Imagine user A uses the computer, then allows B to switch. B hibernates the computer, the screen is locked. Now A comes back and cannot access his desktop. He can only turn off the machine which is lightly to cause data loss. IMHO this is worse than the privacy issue.
That is a non-issue and not releated to lxsession-logout, you don't need to hibernate or suspend, activation of the screensaver will also lock the screen. And that's why xscreensaver and gnome-screensaver offer logging in as another user (provided your OS and login manager support that). -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c21
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c22
Ludwig Nussel
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c23
--- Comment #23 from Christoph Wickert
this is not something lxsession care. it's up to the software used as screensaver. feel free to open a bug report against xscreensaver and any other screensaver software that lack such capability
As long as you cannot guarantee that the screen can be unlocked, you are making the problem worse than it is. IMHO you should disable the switch user functionality in lxsession. (In reply to comment #20)
That is a non-issue and not releated to lxsession-logout, you don't need to hibernate or suspend, activation of the screensaver will also lock the screen.
Only if the user configures locking, by default it will only blank.
And that's why xscreensaver and gnome-screensaver offer logging in as another user (provided your OS and login manager support that).
xscreensaver, which is the default screensaver in LXDE (and the only one working) does NOT support user switching. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c
Swamp Workflow Management
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c24
--- Comment #24 from Guido Berhörster
(In reply to comment #20)
That is a non-issue and not releated to lxsession-logout, you don't need to hibernate or suspend, activation of the screensaver will also lock the screen.
Only if the user configures locking, by default it will only blank.
No, on openSUSE both gnome-screensaver and xscreensaver lock after 10 min by default, so this is consistent behavior. Furthermore OS X, Windows, the GNOME and KDE power managers all lock the screen by default when suspending or hibernating.
And that's why xscreensaver and gnome-screensaver offer logging in as another user (provided your OS and login manager support that).
xscreensaver, which is the default screensaver in LXDE (and the only one working) does NOT support user switching.
xscreensaver does support user switching but it needs a capable login manager. LXDM seems broken in this regard, with GDM xscreensaver user switching works fine. Just one more reason not to use LXDM. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=622083
https://bugzilla.novell.com/show_bug.cgi?id=622083#c25
--- Comment #25 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=622083
https://bugzilla.novell.com/show_bug.cgi?id=622083#c26
--- Comment #26 from Christoph Wickert
I'll submit a patch against the git version on the upstream tracker.
AFAICS this didn't happen, upstream's bugtracker still only has the old patch. We now have another problem: lxsession 0.4.5 uses upower for hibernate/standby. After locking the screen the user is no longer allowed to do this. lxsession just locks the screen and when you unlock it, the logout dialog is still there and says "not authorized". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=622083
https://bugzilla.novell.com/show_bug.cgi?id=622083#c27
--- Comment #27 from Guido Berhörster
(In reply to comment #13)
I'll submit a patch against the git version on the upstream tracker.
AFAICS this didn't happen, upstream's bugtracker still only has the old patch.
It has been there since July 17th, did you even look? http://sourceforge.net/tracker/?func=detail&aid=3030907&group_id=180858&atid=894871 Apart from that it is also completely irrelevant since PCMan wants to implement a different solution which makes this configurable and executes the screensaver from shell script, we discussed that two months ago on the lxde mailing list. I even supplied the script script for it and got the bug in gnome-screensaver-command fixed in the meantime.
We now have another problem: lxsession 0.4.5 uses upower for hibernate/standby. After locking the screen the user is no longer allowed to do this. lxsession just locks the screen and when you unlock it, the logout dialog is still there and says "not authorized".
I haven't looked into that, lets discuss this on the lxde list. This bug is against openSUSE 11.3/lxsession 0.4.4 and closed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=622083
https://bugzilla.novell.com/show_bug.cgi?id=622083#c28
--- Comment #28 from Christoph Wickert
(In reply to comment #26)
(In reply to comment #13)
I'll submit a patch against the git version on the upstream tracker.
AFAICS this didn't happen, upstream's bugtracker still only has the old patch.
It has been there since July 17th, did you even look? http://sourceforge.net/tracker/?func=detail&aid=3030907&group_id=180858&atid=894871
Yes I did. The only bug report linked in this bug is http://sourceforge.net/tracker/?func=detail&aid=3030798&group_id=180858&atid=894869 and not http://sourceforge.net/tracker/?func=detail&aid=3030907&group_id=180858&atid=894871 where you added your patch. You should have attached your patch to he old bug that Andrea mentioned before instead of opening a new one. Things like this make it hard to track the issue. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=622083
https://bugzilla.novell.com/show_bug.cgi?id=622083#c29
--- Comment #29 from Guido Berhörster
Yes I did. The only bug report linked in this bug is
No, you obviously did not bother to read it.
http://sourceforge.net/tracker/?func=detail&aid=3030798&group_id=180858&atid=894869 and not http://sourceforge.net/tracker/?func=detail&aid=3030907&group_id=180858&atid=894871 where you added your patch. You should have attached your patch to he old bug that Andrea mentioned before instead of opening a new one. Things like this
Your crappy bugtracker would not let me attach a file so I put it on the patchtracker instead, I even noted that in the bugreport (http://sourceforge.net/tracker/?func=detail&aid=3030798&group_id=180858&atid=894869) and linked it, see the fifth comment. Could you now please refrain from spamming our bugtracker with these irrelevant things? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=622083
http://bugzilla.novell.com/show_bug.cgi?id=622083#c30
--- Comment #30 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com