Bug#721388: gdm3: anyone can change the user's next session

Laurent Bigonville bigon at debian.org
Tue Sep 10 09:23:37 UTC 2013

severity 721388 normal

Le Mon, 9 Sep 2013 19:22:29 +0200,
Vincent Lefevre <vincent at vinc17.net> a écrit :

> On 2013-09-09 17:26:30 +0200, Laurent Bigonville wrote:
> > So if I understood correctly:
> > 
> > 1) A "rogue" user has selected your user in the list and then
> > changed your session to something else.
> > 2) When you arrived in front of the screen you saw that your user
> > was already selected and then you just typed your password
> > 3) You were logged in using the wrong session.
> > 
> > Is that correct?
> I think that I cancelled first by typing Enter (i.e. an incorrect
> password).
> But, FYI, my user is selected by default as this is the only user
> of the machine.

I tried to reproduce this on a machine running GDM 3.8 and I definitely
cannot reproduce this. To save the default session of a user you really
need to enter the password of this user, and as soon as you are hitting
escape or enter with a wrong password, the session of the user is reset
to the saved one.

I guess that adding a timeout to un-select the user (return from the
screen where you need to enter the password to the one (main) were you
select the user) could mitigate this issue. I'll open an upstream bug
for this.


Laurent Bigonville

More information about the pkg-gnome-maintainers mailing list