[Secure-testing-team] Bug#645427: Stopped locking the screen when closing the laptop lid
Josh Triplett
josh at joshtriplett.org
Sat Oct 15 23:50:25 UTC 2011
On Sat, Oct 15, 2011 at 07:50:42PM -0400, Michael Gilbert wrote:
> Josh Triplett wrote:
> > > shouldn't necessarily be viewed as some kind of security lapse
> > > (especially since the screen is going to lock after some timeout
> > > anyway).
> >
> > "immediately" versus "after several minutes" makes a big difference.
>
> Once the user becomes familiar with the changed behavior, they will
> make appropriate behavioral changes; that doesn't mean the screen
> locking security model is broken, it's just different.
The user won't discover the changed behavior until after the first time
they close the lid, potentially walk away from their system, and come
back to find it still completely unlocked. That should not happen even
once.
> > > As a counter-point, xscreensaver does not automatically lock on lid
> > > close either, and isn't expected to do so, so such behavior need not be
> > > considered as a security issue. I guess what I'm saying is that lid
> > > close screen locking has in the past been a choice left up to the user,
> > > so there's no reason to consider the same behavior as a security issue
> > > now.
> >
> > The regression makes it a security issue. gnome-screensaver previously
> > locked on lid close, and now it doesn't. It doesn't matter what
> > xscreensaver does, or what gnome-screensaver does in different
> > configurations.
>
> The regression may certainly be a bug, and that's a fine thing to track.
> The xscreensaver and gnome-screensaver security models are identical,
> and the screen does not have to be locked on close in either. That's an
> option for the user to choose if they like something like that.
The screen does not *have* to be locked, no. The user may choose to
have the screen locked (which to the best of my knowledge represents the
default configuration for gnome-screensaver/gnome-power-manager). If
the user *does* choose such a configuration, then a regression in that
behavior without any warning opens a hole in the user's security. Even
*with* warning it seems problematic, but perhaps not quite as serious.
- Josh Triplett
More information about the Secure-testing-team
mailing list