Choose style:

Author Topic: Potential login vulnerability?  (Read 1106 times)

0 Members and 1 Guest are viewing this topic.

Offline raz

  • nOOb
  • *
  • Posts: 3
  • Karma: 0
  • New Forum User
    • View Profile
  • Peppermint version(s): 5
Potential login vulnerability?
« on: August 30, 2014, 12:40:50 am »
Started the OS (Peppermint 5). At the login screen, rather than typing my password, I inserted a USB disk containing a video. I was greeted with a window and chose to open the disk with the file manager. I then started the video and watched it. All while at the login screen. As I closed the movie player, I had magically made it beyond the login screen, into the desktop, and without entering a password.

Is this normal behavior? Can anyone try to replicate it on their side?

Offline iamesperambient

  • Veteran
  • ****
  • Posts: 1269
  • Karma: 89
  • a totally awesome dude
    • View Profile
    • i AM esper (drone ambient music)
  • Peppermint version(s): Peppermint 8 64 bit
Re: Potential login vulnerability?
« Reply #1 on: August 30, 2014, 01:30:44 am »
im not sure if this is the same thing as you mean but i have my log in screen set with no password
you can change this in users and groups. I found this option when i messed up my desktop big time
and could not find the wireless icon so i decided to make a new user and start from scratch, i than figured out
you can set no password not sure if this is default or not.
http://iamesper.bandcamp.com
boring drone music from NJ

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25660
  • Karma: 2819
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Re: Potential login vulnerability?
« Reply #2 on: August 30, 2014, 07:39:47 am »
Started the OS (Peppermint 5). At the login screen, rather than typing my password, I inserted a USB disk containing a video. I was greeted with a window and chose to open the disk with the file manager. I then started the video and watched it. All while at the login screen. As I closed the movie player, I had magically made it beyond the login screen, into the desktop, and without entering a password.

Is this normal behavior? Can anyone try to replicate it on their side?

And this was at the bootup login screen, not the lock screen, or after logging off ? .. AFAIK file manager shouldn't even have started by the time you reach the login screen.

I'll look into this as soon as I get time.
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 25660
  • Karma: 2819
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 8R, 9, and 9R
Re: Potential login vulnerability?
« Reply #3 on: August 31, 2014, 06:32:02 am »
I absolutely cannot reproduce this (and believe me I've tried)  :-\

As I said, pcmanfm shouldn't even be running at the login screen, so shouldn't be able to automount anything, let alone offer to choose an app for its contents.

And light-lockers "Lock Screen" doesn't display a "choose" action (even though pcmanfm is running in the background) .. in fact if you lock the screen with light-locker, then insert a USB stick, nothing happens, but when you log in there's a dialog box open saying you need to enter your password to mount the drive .. so light-locker is preventing automounting as it should.
« Last Edit: August 31, 2014, 06:36:13 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec