Bug 739680

Summary: Login security proglem
Product: [openSUSE] openSUSE 12.1 Reporter: Kalle Rautavuori <k.rautavuori>
Component: GNOMEAssignee: E-mail List <gnome-bugs>
Status: RESOLVED DUPLICATE QA Contact: E-mail List <qa-bugs>
Severity: Enhancement    
Priority: P5 - None CC: badshah400, RBrownCCB
Version: Final   
Target Milestone: ---   
Hardware: x86-64   
OS: SUSE Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Kalle Rautavuori 2012-01-05 09:58:25 UTC 
User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20100101 Firefox/9.0

When leaving the gnome desktop unused so it goes to the locked state, i am then able to choose 'switch user' and be redirected to the login screen. 
From there i am able to select power of or reboot - and all this without ever entering a password anywhere. I would guess that this is not a behaviour that was in the developers mind, and it should be given some consideration on how to better manage the security of these steps.

Reproducible: Always

Steps to Reproduce:
1.lock screen
2.select 'switch user'
3.do anything you like with the upper right corner power switch
Actual Results:  
The ability to power down the computer even if someone has programs running behind a locked session, and all this without having to use a password

Expected Results:  
A password should be entered to perform powerdown if there is somebody actually using the computer.
Comment 1 Richard Brown 2012-01-05 10:18:55 UTC 
Does this happen during a remote connection? - I've just tested it and it doesn't appear to be the case

If this only happens when 'local', and you're physically at the machine, then from a security point of view, couldn't a potential miscreant just turn the hardware off using the physical power button?
Comment 2 Atri Bhattacharya 2012-06-30 14:19:40 UTC 
This is a duplicate of bnc#726969.

*** This bug has been marked as a duplicate of bug 726969 ***