Merge lp:~echaskes/unity-control-center/fix-user-password-dialog into lp:unity-control-center

Proposed by Eric Chaskes
Status: Merged
Approved by: Sebastien Bacher
Approved revision: 12777
Merged at revision: 12780
Proposed branch: lp:~echaskes/unity-control-center/fix-user-password-dialog
Merge into: lp:unity-control-center
Diff against target: 14 lines (+4/-0)
1 file modified
panels/user-accounts/um-password-dialog.c (+4/-0)
To merge this branch: bzr merge lp:~echaskes/unity-control-center/fix-user-password-dialog
Reviewer Review Type Date Requested Status
Sebastien Bacher Approve
Review via email: mp+217167@code.launchpad.net

Commit message

Updated um-password-dialog.c to removed users to change password mode to regular when locking the account

Description of the change

There is currently a bug in the User Accounts password dialog box: if a user has been set to "Log in without a password" and is subsequently set to "Disable this account", the user is not removed from the nopasswordlogin group. The result is that the user can still log in without a password, even though an admin has locked the account. This is a security issue.

This is easily tested by following the above steps and confirming the users group memberships.

The bug stems from lack of a single line of code in um-password-dialog.c

Current code (starting line 268) locks user, removes automatic login, but does not change password mode:

                case UM_PASSWORD_DIALOG_MODE_LOCK_ACCOUNT:
                        act_user_set_locked (um->user, TRUE);
                        act_user_set_automatic_login (um->user, FALSE);
                        break;

Proposed code also changes the password mode:

                case UM_PASSWORD_DIALOG_MODE_LOCK_ACCOUNT:
                        act_user_set_locked (um->user, TRUE);
                        act_user_set_automatic_login (um->user, FALSE);

                        /*Set the password mode to regular in case the user is currently in the nopasswdlogin group.
                        Otherwise, the user will still be able to login even though the account is disabled. */
                        act_user_set_password_mode (um->user, ACT_USER_PASSWORD_MODE_REGULAR);
                        break;

This is easy to test by compiling/installing the code, then perform the above steps again. The user will be properly removed from the nopasswordlogin group.

To post a comment you must log in.
Revision history for this message
Sebastien Bacher (seb128) wrote :

thanks, that looks fine to me!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'panels/user-accounts/um-password-dialog.c'
2--- panels/user-accounts/um-password-dialog.c 2014-03-19 14:43:12 +0000
3+++ panels/user-accounts/um-password-dialog.c 2014-04-25 01:58:49 +0000
4@@ -268,6 +268,10 @@
5 case UM_PASSWORD_DIALOG_MODE_LOCK_ACCOUNT:
6 act_user_set_locked (um->user, TRUE);
7 act_user_set_automatic_login (um->user, FALSE);
8+
9+ /*Set the password mode to regular in case the user is currently in the nopasswdlogin group.
10+ Otherwise, the user will still be able to login even though the account is disabled. */
11+ act_user_set_password_mode (um->user, ACT_USER_PASSWORD_MODE_REGULAR);
12 break;
13
14 case UM_PASSWORD_DIALOG_MODE_UNLOCK_ACCOUNT:

Subscribers

People subscribed via source and target branches