Bug#980071: gnome-shell: Using suspend in the gnome-shell power off/log out menu does log out and suspend in the wrong order

Simon McVittie smcv at debian.org
Thu Jan 14 09:10:13 GMT 2021 

On Wed, 13 Jan 2021 at 23:31:40 +0000, A Ozbay wrote:
> When I use the suspend option in the power off/log out menu, gnome-shell
> first logs me off, as if I clicked log off instead. Then, when I enter my
> password on this screen, my computer enters suspend mode. Upon resuming
> my pc from suspend, I am logged into my user account without a password
> prompt.

I suspect this is a GNOME Shell crash during screen locking. Please check
the system log (systemd journal) around the time that you suspended for
error and warning messages.

That behaviour is consistent with this sequence of events:

* You ask to suspend, but it takes a while for that to happen on your
  particular hardware
* GNOME Shell starts to prepare to suspend (locks the screen, etc.)
* Something goes wrong and the Shell crashes
* This ends your login session, taking you back to the gdm login screen
* You enter your password and log in again, starting a new GNOME session
* The new session is unaware that suspending is already in progress, so it
  does not have the opportunity to lock the screen before...
* The suspend process finally finishes
* The hardware suspends

A Shell crash is definitely a bug, but is not a bug that is going to be
solvable without more information:

* What messages appear in the system log (systemd journal)?
* Do you have any GNOME Shell extensions enabled?

> This enables a person with physical access to the machine in a suspended
> state to log into my account without any password required whatsoever
> which is a grave security issue.

You can avoid this by not entering your password while the machine is
in a transitional state (already trying to suspend).

If you believe you have discovered a security vulnerability that is not
already known to the public, please report it privately, rather than
reporting it to the public bug tracking system. However, I don't think
this particular bug will be considered to be a security vulnerabilty.

    smcv

More information about the pkg-gnome-maintainers mailing list