Security design flaw with "default" x-windows login behaviour

Dmitriy Kropivnitskiy nigde at
Sat Nov 20 15:50:12 CST 2004

I don't know, what provoked the whole rant about technical and
non-technical users and ubuntu goals, since I didn't say a word about
it. Let me dot the i's

1. Timed auto-login in GDM means that after a specified number of
seconds of inactivity the system will login into the account without
prompting for a password.
2. During that timeout you are still able to login as a different user
by supplying proper user name and password combination.
3. In GDM it so happens, that when you enter a wrong user name, it will
login you into the auto-login account.
3.1. If you just made a mistake in typing your user name and didn't mean
this to happen, you can log out and start over
3.2. If you intended to random guess user name and password to obtain
access to the system, you wuoldn't need to, since it would log you in
automatically anyway
3.3. Albeit you are logged into the account, the password is still
unknown to you, so if the user name is in the sudoers list, you still
cannot do any admin actions.
4. Ergo, calling something like this as a security breach is SILLY!!!

"I didn't say Minnie was a little silly! I said she was fucking Goofy!"
Mickey Mouse

On Fri, 2004-11-19 at 20:43 -0500, Eric Dunbar wrote:

> Having a blank password send you into the default account, regardless
> of what's entered in the user name field is an illogical solution.
-------------- next part --------------
An HTML attachment was scrubbed...

More information about the ubuntu-devel mailing list