joelburget / slimlock

SLiM + slock = slimlock
GNU General Public License v2.0
40 stars 17 forks source link

Possible bypass #10

Closed donSchoe closed 12 years ago

donSchoe commented 12 years ago

hi,

i recently noticed that i can bypass slimlock after long times of inactivity. if i don't use the computer for more than 24h (estimated) i can unlock the screen without entering a password: moving the mouse displays the slimlock login screen, but pressing any key removes the lockscreen without entering a password.

while browsing the internet i found a similar problem posted by an arch linux user - https://bbs.archlinux.org/viewtopic.php?id=134300

i'm using gentoo with slimlock v0.11...

cheers

joelburget commented 12 years ago

This reminds me of an issue that I forgot about. If you run setTimeout("alert('here')", 2000) in your browser and lock the screen before the alert pops up it will behave like user described in your link. It almost seems to be the opposite of what you say because in my case you can move the mouse pointer around and click on things but pressing a key will bring slimlock back up. Would you mind testing to see what happens on your computer?

donSchoe commented 12 years ago

the message pops up infront of the slimlock screen, but i can not bypass slimlock.

Guff commented 12 years ago

I hate this bug.

What other applications did you have running when the screen was locked? Have you let it run for this long before, and if so were you able to bypass it then as well?

Also, how exactly did you bypass it? When you went to unlock it, was slimlock's window visible? If so, what caused it to go away?

donSchoe commented 12 years ago

i opened this bug after i found out it's reproducable. it happened twice to me. i will try now to let it happen again and tell you all details and anomalities i may find.

i use gentoo with dwm window manager and only had 1 or 2 terminals open at that time.

i was able to bypass it like that:

  1. i returned home
  2. touched the mousepad and slimlock showed up
  3. i pressed the shift key (my password starts with a capital letter) and slimlock disappeared without entering a password
  4. i was now able to do everything i wanted to, even to access my root shell

but as i said before, this only happens after a long time of inactivity, of maybe 20, maybe 30 hours and more. (that's annoying to reproduce!)

more results in a few days ;)

ghost commented 12 years ago

I have the opposite problem (but maybe related, because it also happens after a long time of inactivity, so I post it here): if I leave slimlock on for several hours (say, leave work in the afternoon, come back the next morning) I cannot unlock it, no matter what I do. Slimlock is unresponsive. I cannot enter my password. I must ctrl+alt+f1, login in vt and killall -9 slimlock from there.

Also in gentoo, git version.

Guff commented 12 years ago

Eek.

Would either one of you guys be able to test xscreensaver to see if it suffers from the same issues? If you do, I imagine it would be much easier to either run a second X server instance or to run it in something like Xephyr.

ghost commented 12 years ago

I updated to latest git after my post and haven't had my issue since then. Maybe it was caused by something else. Right now it works perfectly.

Sorry for the noise :).

donSchoe commented 12 years ago

I'm closing this issue now. I'm using slimlock on a very unstable system and can hardly reproduce the behaviour mentioned above.

If someone else comes across this issue, simply re-open it.