Fake login screens

Vincenzo Ciancia ciancia at di.unipi.it
Sat Feb 14 17:54:03 UTC 2009 

On 14/02/2009 Felipe Figueiredo wrote:
> As others said, more than once in this thread, the change is 
> reversible.
> There will be a package to install so you don't have to edit your 
> xorg.conf.

I will keep myself informed but I expected that ubuntu-devel-discuss was 
also a place to discuss the ubuntu development, involving high-impact 
changes. My mistake, so I will keep myself informed.

However, it seems to me that nobody is getting the point about fake 
login screens: if I am an *user* of somebody else's network, how can I 
protect myself from another *user* faking a login screen, used as the 
only running X application, and stealing my password?

Under some windows versions, I can use ctrl+alt+delete. I bet the mac 
has something similar, and Xorg traditionally had ctrl+alt+backspace 
(even though, it also kills the session as a nice side effect). Now, you 
have to consider that even an experienced system administrator may not 
notice the change when he will install next ubuntu on the client 
machines of a computing lab, or even worse when upgrading to it. Fancy 
an unexperienced system administrator as there are many.

I will surely write my own fake gdm as an exercise just in case I become 
an user of such an admin :) Because of statistics, you know, if I carry 
a bomb there can't be another bomb on my plane.

If the solution is "currently, ubuntu jaunty is vulnerable to this 
problem", let's just admit it and make it public in the release notes at 
least. So that people will know and avoid leaving the default 
configuration on clients.

Personally I would love that the power button returned to gdm, and that 
gdm created a new X session (like for the "guest login" use case) for 
every login, without disappearing, and occupying a fixed tty (the one 
the power button would return to). In that case, gdm could also offer a 
pre-loaded and not-swappable emergency shell that administrator may 
access. However, this *really* needs a blueprint so for now is there any 
other solution?

Vincenzo

More information about the Ubuntu-devel-discuss mailing list