Insecure lock-screen with multi-monitor setup (T2952)

[celticmagic]

Leum Dunn (#HL_Benton), 2017-03-20 13:47:16 UTC

I have Solus installed onto a HP Elitebook 850 and a second screen which is a Samsung 4k monitor over displaylink. If I lock my screen and walk away, both laptop and secondary monitors go blank. When I return and move my mouse or use my keyboard to wake the machine, both screens will flicker as the lock-screen is rendered. During this rendering process, the content of my desktop will be displayed for a second or two before the unlock screen is drawn. This means that a malicious actor could simply walk up to my machine, wake the screen and record or photograph anything I'm working on and walk away again. There are no logs or errors generated that I'm aware of to indicate to me a failed or incomplete logon attempt. I had planned to use power saving settings to stop the screen from ever blanking, but whilst these stop the machine hibernating, they don't appear to affect the lockscreen from blanking the screen. I am patched up to date as of 20.03.2017 and have a video of the issue (but don't know where to send it). This is the first time I've ever submitted a bug to any project so please let me know if you require additional detail. Thanks, HL.

[celticmagic]

Leum Dunn (#HL_Benton), 2017-03-23 12:25:59 UTC

Additional note: I've been working with this for a few days now and have discovered that occasionally (like one time in ten), the lock screen doesn't draw at all and waking the computer doesn't require a password. I think this is a fairly serious security issue and would appreciate it looking at. Cheers,

[celticmagic]

Pierre-Yves (#kyrios123), 2017-03-23 12:42:14 UTC

I have noticed the same problem with the MATE edition of Solus. I'm also using a laptop (but not connected to an external monitor).

[celticmagic]

Leum Dunn (#HL_Benton), 2017-03-23 16:13:15 UTC

There's a video of the issue to the G= group here - https://plus.google.com/+LeumDunn/posts/PxXxBGuV2vG Also, I had a new error this afternoon where the lockscreen drew without rendering either the mouse cursor or the unlock dialogue box. Thankfully I was able to wait for the screen to timout and blank, and then it worked as expected the 2nd time around (again with the flashing).

[celticmagic]

sflmlt (#sflmlt), 2017-04-12 12:17:13 UTC

Does anyone know when this is expected to be addressed? While I'm fine going back to Ubuntu (gnome these days I suppose) and loop to check-in on Solus later I'd much prefer to give Solus a go. Unfortunately, getting locked out of my workstation doesn't really fly...

[celticmagic]

Leum Dunn (#HL_Benton), 2017-04-12 12:39:32 UTC

FWIW - I'm using Solus as my daily driver and I've learnt to live with this lockscreen behaviour. If the screen wakes and fails to draw the password dialogue box, then I can unplug and replug the monitor to force it to switch between multi and single monitor modes - this often causes the password dialogue box to draw correctly second time around. There's still the obvious privacy concern around the flickering - but I've not had to hard reboot my machine to get back in for a week or two now. I think the behaviour 'may' be worse on my machine than others because my second monitor is a 4k panel that draws 4 separate 1920x1080 screens and stitches them together (SAMSUNG UD590). If someone can tell me how to grab the Linux equivalent of event logs then I'm happy to share them - I'm still learning my way around Linux so don't yet know where to find such things...

[celticmagic]

Ikey Doherty (#ikey), 2017-04-12 16:18:59 UTC

Lock screen fault is down to gnome-screensaver. I'll look around and see if we can somehow employ some alternative.

[celticmagic]

sflmlt (#sflmlt), 2017-04-13 05:45:43 UTC

Thank you both for the prompt reply. A quick clarification on this. I think that HL_Benton and I are having a different problem. It sounds like HLB sees his desktop when he shouldn't with a side of incorrect rendering (running an external monitor) while I get locked out of my desktop (with one monitor). I can give it another try to confirm whether HLB's approach works for my situation if that helps.

[celticmagic]

Pierre-Yves (#kyrios123), 2017-04-13 07:40:26 UTC

#ikey : In case it can help, I have similar issue on the MATE edition (which I believe uses the mate screensaver). Perhaps T619 has a similar root cause ?

[celticmagic]

Ikey Doherty (#ikey), 2017-04-13 12:43:38 UTC

Yeah one is a fork of the other :)

[celticmagic]

Pierre-Yves (#kyrios123), 2017-04-15 16:30:36 UTC

Something else I did notice is that when an Oracle Virtualbox VM window is active, the computer unlocks without prompting for my credentials and I can keep on working on that window BUT as soon as I switch to another window, I get prompted for my credentials to unlock my machine.

[celticmagic]

sflmlt (#sflmlt), 2017-04-15 16:50:46 UTC

>>! In T2952#57557, #kyrios123 wrote: > Something else I did notice is that when an Oracle Virtualbox VM window is active, the computer unlocks without prompting for my credentials and I can keep on working on that window BUT as soon as I switch to another window, I get prompted for my credentials to unlock my machine. #kyrios123: that happens on other distros as well, I don't think it's just a solus thing (ubuntu 16.04 for one does this as well). I've always been fine with that as any remote host I connect to or VM I run in full-screen (I'm assuming you mean when VB runs in full-screen) typically locks their display. Out of curiosity, have you also had cases where you get locked out completely ?

[celticmagic]

Pierre-Yves (#kyrios123), 2017-04-15 17:36:25 UTC

#sflmlt I guess it's probably linked to a screen inhibitor feature of VirtualBox or so, but the behavior is kinda different from the screen inhibitor of a video player like VLC which works normally. With Virtualbox, I see the lock screen background, when I move the mouse, immediately gets back on the desktop (I don't run VirtualBox in full screen), it is only when I switch to another window that I am redirected back on the locking screen, this time with the window to input my credentials. I don't recall having this problem earlier also on Ubuntu based distro (Linux Mint 15 to 18.1) but I wasn't using virtual machines as much as I do nowadays.

[celticmagic]

sflmlt (#sflmlt), 2017-04-16 16:43:04 UTC

A bit more info on the case of getting locked-out. It seems this happens only when the workspace running full screen remote is left active (and citrix in full screen). Selecting a different workspace or minimizing the citrix window works around the problem so it's avoidable to get locked , albeit a bit error prone. update: I just noticed the only thing that's locked is the text field; the button on the login prompt works, which is odd.. #kyrios123: you mean mean you can see the desktop (other windows' content) but aren't able to interact with anything but VB?

[celticmagic]

Martin (#baimafeima), 2018-01-03 08:13:35 UTC

> There are no logs or errors generated that I'm aware of to indicate to me a failed or incomplete logon attempt. Apologies if this is off-topic but I just read through #HL_Benton's initial post again and one of your sentences is actually worth a separate post. Maybe it is an idea for a Budgie 11 control center component but in any case some kind of easily accessible security feature that would inform a user of failed or incomplete logon attempts would be more than great. Maybe something similar to when an email provider informs a user of unsuccessful logon attempts. Surely, if someone actually had physical access to a computer, there are more things to worry about and I believe the most important one is addressed by T1617.

[celticmagic]

Snuggle (#Snuggle), 2018-03-16 19:29:24 UTC

> Maybe it is an idea for a Budgie 11 control center component but in any case some kind of easily accessible security feature that would inform a user of failed or incomplete logon attempts would be more than great. Maybe something similar to when an email provider informs a user of unsuccessful logon attempts. Surely, if someone actually had physical access to a computer, there are more things to worry about and I believe the most important one is addressed by T1617. I'd like to expand this to SSH login attempts too. It'd be awesome to have a list of times that people have tried to log with either SSH or with the lock-screen greeter and failed. Perhaps a notification if there has been more than... 2/3 incorrect attempts?

[celticmagic]

simon (#si), 2019-05-17 18:18:32 UTC

+1 for me not multi-monitor, but the accurate issue, T6822, was closed as a duplicate of this?

[celticmagic]

Beatrice T. Meyers (#DataDrake), 2022-03-12 23:34:42 UTC

I don't think we have a resolution for this yet, but I'm going to move it to the right column.