Logon screen can be bypassed using various shortcuts

[N0rbert]

Original bug-report was reported at https://pad.lv/1948339 about Ubuntu MATE 21.10. Previous releases like 20.10 and 21.04 are affected too.

The essence of the above bug-report:

It turns out that several keyboard shortcuts are allowed while Ubuntu Mate is locked (arctica-greeter):

• Mod4 + S (mate-search-tool)
• Mod4 + E (Open Caja / File Explorer)
• CTRL + Shift + Esc (mate-system-monitor)
• PRNT (Screenshot)

All of the mentioned shortcuts could be used to spawn a file explorer (Caja) or various other binaries as user "lightdm", who owns the logon screen.

Although an interactive terminal like mate-terminal, xterm, lxterm etc. could not be opened directly, there are various options to run commands as the lightdm user, for example by creating a shell script using "caja", and execute it directly using the GUI.

I've attached Proof-of-Concept GIFs for all shortcuts mentioned above. There might be additional shortcuts that could be used to achieve the same, however I'm not aware about every shortcut that is configured, but I suppose that the root cause is located somewhere in arctica-greeter, rather than within every single binary launched by shortcuts.

The bug was reproduced on a fresh installation of Ubuntu Mate 21.10.

Please find additional version details below:

$ apt-cache policy lightdm

lightdm: Installed: 1.30.0-0ubuntu4 Candidate: 1.30.0-0ubuntu4 Version table: *** 1.30.0-0ubuntu4 500 500 http://de.archive.ubuntu.com/ubuntu impish/universe amd64 Packages 100 /var/lib/dpkg/status

$ apt-cache policy arctica-greeter

arctica-greeter: Installed: 0.99.1.5-2nmu1 Candidate: 0.99.1.5-2nmu1 Version table: *** 0.99.1.5-2nmu1 500 500 http://de.archive.ubuntu.com/ubuntu impish/universe amd64 Packages 100 /var/lib/dpkg/status

Thanks, Basti

[N0rbert]

Bug about arctica greeter is here - https://github.com/ArcticaProject/arctica-greeter/issues/28 .