Bug 1271436 - login not secure
login not secure
Product: Fedora
Classification: Fedora
Component: gdm (Show other bugs)
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Ray Strode [halfline]
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2015-10-13 20:54 EDT by Richard Jasmin
Modified: 2015-10-14 08:25 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-10-14 08:25:10 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Richard Jasmin 2015-10-13 20:54:16 EDT
Description of problem:
This only applies when using the Xorg interface, console logins are not affected.This insecurity is a well known issue on LANs and networked systems(at least 15 years).Standalone and lonely average PCs see this as a convenience.

Basically the user is presented with prior login information.Assuming there is only one average user, this may also be the reason.

Neither condition however should trigger this action.The less a hacker knows the better.And it is well known also that windows utilities can read extended volumes without needing a login.

Therefore, some level of encryption is warranted.Some prefer whole disk, some home folder.I think both are a tad wasteful.I prefer containers and Private folder linking.Generally if not logged in, this info is not available.Works wonders when browser and mail cached data is Privatized.But, some say this wont work with nfs mounts.

At a MINIMUM, nobody should be autologged in or have login info on the login page.You should know your login information. After all, most of you set the system up.

I have yet to test root logins under X11.Im being told it wont let you.

Version-Release number of selected component (if applicable):
21+ but as you know 21 soon to be retired.

How reproducible:
everytime you log in via X11

Steps to Reproduce:
1.dont login yet, just look.
Comment 1 Dave Airlie 2015-10-13 21:24:09 EDT
xorg has nothing to do with drawing the login screen or logging in.
Comment 2 Ray Strode [halfline] 2015-10-14 08:25:10 EDT
There's a tradeoff to be made, and by default, in Fedora Workstation, we feel keeping the user list available is worth the information disclosure for the lion's share of users.

However, we recognize this default is not appropriate for all sites and users.  Also, certainly opinions can different on where it is appropriate. So we provide a mechanism to disable the user list via dconf configuration.

See https://help.gnome.org/admin/system-admin-guide/stable/login-userlist-disable.html.en for more details.

Note You need to log in before you can comment on or make changes to this bug.