[Secure-testing-team] Bug#645427: Stopped locking the screen when closing the laptop lid

Josh Triplett josh at joshtriplett.org
Sat Oct 15 23:28:33 UTC 2011


On Sat, Oct 15, 2011 at 04:24:12PM -0400, Michael Gilbert wrote:
> Josh Triplett wrote:
> > Package: gnome-screensaver
> > Version: 3.0.1-1
> > Severity: grave
> > Tags: security
> > 
> > I upgraded gnome-screensaver, and it stopped locking the screen when I
> > close the lid of my laptop.  It now only locks if I explicitly lock the
> > screen (ctrl-alt-L), or after some timeout (on the order of 5-15
> > minutes, ).
> > 
> > For anyone who counts on this behavior of gnome-screensaver as a
> > component of their system's security, this represents a security bug.
> 
> This also could have been an intentional design change, and thus

Could, but to the best of my knowledge wasn't.  If it turns out it was,
I'll pursue that with upstream; however, at the moment it looks like a
bug. :)

Also, if this did represent an intentional design choice, it would need
giant honking warnings in NEWS.Debian.gz and similar warning people of
the security implications.

> shouldn't necessarily be viewed as some kind of security lapse
> (especially since the screen is going to lock after some timeout
> anyway).

"immediately" versus "after several minutes" makes a big difference.

> As a counter-point, xscreensaver does not automatically lock on lid
> close either, and isn't expected to do so, so such behavior need not be
> considered as a security issue.  I guess what I'm saying is that lid
> close screen locking has in the past been a choice left up to the user,
> so there's no reason to consider the same behavior as a security issue
> now.

The regression makes it a security issue.  gnome-screensaver previously
locked on lid close, and now it doesn't.  It doesn't matter what
xscreensaver does, or what gnome-screensaver does in different
configurations.

- Josh Triplett



More information about the Secure-testing-team mailing list