Author Topic: Warning: Screen unlocks without password if foreground app has ALT as a shortcut  (Read 2146 times)

Offline walter

  • Jr. Member
  • **
  • Posts: 33
  • Karma: 3
  • New Forum User
    • View Profile
  • Peppermint version(s): Peppermint 8 Respin (64-bit)
I would like to share a possible security concern that I have just noticed: the locked screen unlocks by itself(!), that is, without entering a password, when waking up the monitor that has been switched off after sleep mode!

This is a desktop PC that I leave on 24/7, with just the screen locked (via ALT-CTRL+L).

In the XFCE Power Manager I have enabled "Lock screen when system is going to sleep" (System tab), and on the "Display" tab I have allowed "Handle display power management" plus time intervals for all the possibilities below as follows: "Blank after": 10 min., "Put to sleep after": 30 min., "Switch off after": 60 min.

Now, with this set-up the screen-locker is still active and prompts for a password after the screen goes blank (10 min.). But after locking the screen and leaving it for several hours, assuming that it has been first put to sleep, after switching it on (through the ON button) I find the screen unlocked!!!

This situation seems to be fixed when I disable "Handle display power management" in XFCE Power manager, but I wanted to point your attention to this potential security issue. I might be misinterpreting some of the XFCE PM settings, though  :-\

EDIT: typo!

EDIT: After extended tests I can say that I was wrong concluding that the power management app was the culprit.  :-[

Instead, I have now found that when trying to lock the screen and Vivaldi (the browser) was the active window, the CTRL+ALT+L shortcut (more specifically, ALT) sometimes activates the Vivaldi menu just a moment before the screen-locking process starts. This results in a screen that looks like it is locked, but is easily unlocked WITHOUT ENTERING A PASSWORD once one moves the mouse!

Please be aware of that and check twice, especially if you intend leaving the PC on, and just switch off the screen before leaving (as I did)!

NOTE: I have also modified the subject of the post to reflect the new findings. In my situation the culprit was Vivaldi, but any other program that uses ALT as a shortcut might lead to the described problem. Therefore I have written a slightly more general subject...
« Last Edit: July 27, 2016, 02:32:22 am by walter »

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Thanks walter .. I'll see if I can replicate.
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline walter

  • Jr. Member
  • **
  • Posts: 33
  • Karma: 3
  • New Forum User
    • View Profile
  • Peppermint version(s): Peppermint 8 Respin (64-bit)
Meanwhile I have tried to reproduce this several times, but failed.  :-\

However, I have noticed the same effect when locking the screen while Vivaldi (the browser) was the active window!!!

It seems that some of the keys that should lock the screen (ALT, CTRL, or L) opens the browser menu just before the screen locker starts (and blurs the screen as if it is locked), but when the mouse is moved at this stage the screen gets unlocked without a password.

Now I strongly suspect that this effect might have been in play when I previously have locked the PC-screen before leaving the PC, and when moving the mouse upon return at the PC (to wake up the monitor) I found the screen unlocked without entering a password... Leaving the PC for such a long time to activate the monitor power management led me to believe that the XFCE PM was causing the problem while it might not be the problem after all...

Could someone else replicate this reliably as I do now?

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Thanks for the updated info .. I'll try installing vivaldi, but at the end of the day it's not a default app so if it's causing problems it's not 'really' at our end .. Ctrl+Alt+L is a standard keyboard shortcut for screenlock so vivaldi shouldn't really be using it.

Can the keyboard shortcuts not be changed in vivaldi (I've currently never tried vivaldi).
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline walter

  • Jr. Member
  • **
  • Posts: 33
  • Karma: 3
  • New Forum User
    • View Profile
  • Peppermint version(s): Peppermint 8 Respin (64-bit)
Just to let you know that I have updated the original post, providing more details from my research.

Offline Slim.Fatz

  • Global Moderator
  • Veteran
  • *****
  • Posts: 2343
  • Karma: 616
  • Where's the mouse?
    • View Profile
  • Peppermint version(s): Peppermint 7, 8.5 & 10 - 64bit
EDIT: After extended tests I can say that I was wrong concluding that the power management app was the culprit.  :-[

Instead, I have now found that when trying to lock the screen and Vivaldi (the browser) was the active window, the CTRL+ALT+L shortcut (more specifically, ALT) sometimes activates the Vivaldi menu just a moment before the screen-locking process starts. This results in a screen that looks like it is locked, but is easily unlocked WITHOUT ENTERING A PASSWORD once one moves the mouse!

Please be aware of that and check twice, especially if you intend leaving the PC on, and just switch off the screen before leaving (as I did)!

NOTE: I have also modified the subject of the post to reflect the new findings. In my situation the culprit was Vivaldi, but any other program that uses ALT as a shortcut might lead to the described problem. Therefore I have written a slightly more general subject...

Hi walter,

Unfortunately very many GUI-based programs use the <Alt> key to activate their menu -- it has become more or less a standard key for accessing the menu without needing to use the mouse. All of the programs I have tested (there may be exceptions since, of course, I cannot check every possible program from the thousands that are available) are programmed with this as their menu activation key.

Note that when using the key combination <Ctrl><Alt><whatever> you can sometimes avoid this behavior (again, at least this is true for some GUI-based programs that I have tested -- and I do not have Vivaldi) by first pressing the <Ctrl> key and then secondly the <Alt> key. This might not work for Vivaldi and so you should check to see if it is possible to change its keyboard shortcuts.

Let us know your results.

Regards,

-- Slim
Respect science, respect nature, respect each other.

Tread lightly: Fluxbox, JWM, i3, Openbox, awesome

Offline zebedeeboss

  • Global Moderator
  • Hero
  • *****
  • Posts: 3233
  • Karma: 625
  • Life first... Peppermint a close 2nd :)
    • View Profile
  • Peppermint version(s): P10 / P9 Respin
Hi walter

Having looked at Vivaldi on my machine and "F2" quick commands - I cannot see anything that uses "ctrl+alt+anything" key combination.

However, try and lock the screen with Vivaldi as the active window and it appears to do it. Move the mouse and it goes back to a normal screen and is in fact NOT locked, it just looked it

It would appear the port to the Linux platform is still using the "Windows" way of working and that is, the minute you touch the "alt" key, no matter the key-combination used, it activates the menu and brings it down to use.  This then interferes with the Linux functionality as Vivaldi is expecting you do something with the alt menu you just activated.

This doesn't really help you unless you DE-activate keyboard shortcuts in Vivaldi. It does, however, confirm your suspicions and will enable you to submit a bug to Vivaldi developers should you wish to do so.

Regards Zeb...
Be Kind Whenever Possible...   It is Always Possible - Dalai Lama

P10r x64 Desktop - AMD Threadripper 2950X - 64Gb RAM - NVIDIA RTX2080Ti 11Gb - 2 x 27" 4k

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
There's always the option of switching to light-locker as the screenlock .. have you tried that ?
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline walter

  • Jr. Member
  • **
  • Posts: 33
  • Karma: 3
  • New Forum User
    • View Profile
  • Peppermint version(s): Peppermint 8 Respin (64-bit)
There's always the option of switching to light-locker as the screenlock .. have you tried that ?

Uhm... I thought that ALT+CTRL+L activated the light-locker, isn't it? If not, how to use the option you speak of?

Offline walter

  • Jr. Member
  • **
  • Posts: 33
  • Karma: 3
  • New Forum User
    • View Profile
  • Peppermint version(s): Peppermint 8 Respin (64-bit)
It would appear the port to the Linux platform is still using the "Windows" way of working and that is, the minute you touch the "alt" key, no matter the key-combination used, it activates the menu and brings it down to use.  This then interferes with the Linux functionality as Vivaldi is expecting you do something with the alt menu you just activated.

Yup, exactly that! However, I can not replicate this reliably - sometimes the screen locks as expected, sometimes not...

Anyway, thanks for confirming my suspicion! I am not sure I am willing to file a bug-report with Vivaldi, though... Too much things on my plate right now...

Offline walter

  • Jr. Member
  • **
  • Posts: 33
  • Karma: 3
  • New Forum User
    • View Profile
  • Peppermint version(s): Peppermint 8 Respin (64-bit)
Unfortunately very many GUI-based programs use the <Alt> key to activate their menu -- it has become more or less a standard key for accessing the menu without needing to use the mouse. All of the programs I have tested (there may be exceptions since, of course, I cannot check every possible program from the thousands that are available) are programmed with this as their menu activation key.

Hm, I couldn't find such an example on my almost pure (as in default) PM7 system... The only program I have added is Vivaldi.

Offline murraymint

  • Trusted User
  • Veteran
  • *****
  • Posts: 2170
  • Karma: 441
  • soft boiled with a yolk of gold
    • View Profile
  • Peppermint version(s): 7, 8, 9
There's always the option of switching to light-locker as the screenlock .. have you tried that ?

Uhm... I thought that ALT+CTRL+L activated the light-locker, isn't it? If not, how to use the option you speak of?

light-locker is a different program in the repo. xflock is what locks the screen in Peppermint 7, I think. You would have to install light-locker and change the command in Menu > Preferences > Default Applications > Core applications > Lock screen manager to read light-locker

Offline walter

  • Jr. Member
  • **
  • Posts: 33
  • Karma: 3
  • New Forum User
    • View Profile
  • Peppermint version(s): Peppermint 8 Respin (64-bit)
Thanks for the clarification! I enjoy a lot the cool blurry look of the default screen-lock, so I won't switch unless (hardly) pressed by some huge problem with the current solution...  ;)

Offline Slim.Fatz

  • Global Moderator
  • Veteran
  • *****
  • Posts: 2343
  • Karma: 616
  • Where's the mouse?
    • View Profile
  • Peppermint version(s): Peppermint 7, 8.5 & 10 - 64bit
Unfortunately very many GUI-based programs use the <Alt> key to activate their menu -- it has become more or less a standard key for accessing the menu without needing to use the mouse. All of the programs I have tested (there may be exceptions since, of course, I cannot check every possible program from the thousands that are available) are programmed with this as their menu activation key.

Hm, I couldn't find such an example on my almost pure (as in default) PM7 system... The only program I have added is Vivaldi.
Hi walter,
Try the text editor (Pluma) or the file manager (Nemo) where for both the <Alt> key activates the programs menu.  ;)

Regards,

-- Slim
Respect science, respect nature, respect each other.

Tread lightly: Fluxbox, JWM, i3, Openbox, awesome

Offline zebedeeboss

  • Global Moderator
  • Hero
  • *****
  • Posts: 3233
  • Karma: 625
  • Life first... Peppermint a close 2nd :)
    • View Profile
  • Peppermint version(s): P10 / P9 Respin
Unfortunately very many GUI-based programs use the <Alt> key to activate their menu -- it has become more or less a standard key for accessing the menu without needing to use the mouse. All of the programs I have tested (there may be exceptions since, of course, I cannot check every possible program from the thousands that are available) are programmed with this as their menu activation key.

Hm, I couldn't find such an example on my almost pure (as in default) PM7 system... The only program I have added is Vivaldi.
Hi walter,
Try the text editor (Pluma) or the file manager (Nemo) where for both the <Alt> key activates the programs menu.  ;)

Regards,

-- Slim

Hi Slim.Fatz

In Linux you generally have to press alt+anotherkey.   ie  alt+f  for the file menu

in Vivaldi as soon as you press alt - the menu drops down...  and therein lies the problem I think.

Regards Zeb...
Be Kind Whenever Possible...   It is Always Possible - Dalai Lama

P10r x64 Desktop - AMD Threadripper 2950X - 64Gb RAM - NVIDIA RTX2080Ti 11Gb - 2 x 27" 4k