Bug 10439

Summary: Update request: lightdm
Product: Mageia Reporter: Jani Välimaa <jani.valimaa>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED WONTFIX QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, derekjenn, sysadmin-bugs
Version: 3   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA3-32-OK, MGA3-64-OK
Source RPM: lightdm-1.4.1-2.1.mga3 CVE:
Status comment:

Description Jani Välimaa 2013-06-05 19:26:20 CEST 
Current lightdm in mga3 doesn't allow logins with empty password (see bug 10416). New release fixes this behavior.

Please test this new release [1] in core/updates_testing.

Test case:
1. Create new user or use existing.
2. Delete password with 'passwd <user> -d'.
3. Try to login with lightdm with empty passwd.
4. See it failing.
5. Update lightdm from core/updates_testing.
6. Login and see it working.

[1] lightdm-1.4.1-2.1.mga3

Reproducible: 

Steps to Reproduce:
Comment 1 Derek Jennings 2013-06-05 20:57:22 CEST 
Confirmed works as described in the test procedure
Tested lightdm-1.4.1-2.1.mga3.i586  using Razor-qt frontend to lightdm

Also confirmed that users with password can log in as normal, and that invalid passwords are rejected.

CC: (none) => derekjenn
Whiteboard: (none) => MGA3-32-OK

Comment 2 Derek Jennings 2013-06-06 01:52:04 CEST 
Testing completed on x88_64 (using lightdm-gtk-greeter as front end)
all worked as expected.

Testing now complete, validated.

SRPM: lightdm-1.4.1-2.1.mga3.src.rpm

Advisory
--------
This update allows users with empty passwords to log in with lightdm.





Could sysadmin please push from core/updates_testing to core/updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA3-32-OK => MGA3-32-OK, MGA3-64-OK

Comment 3 Nicolas Vigier 2013-06-13 01:30:05 CEST 
Hmm, I'm not sure that changing this in a stable release update is a good idea. Some people might not want to allow people with empty password to log in, and they won't be happy if an update suddenly change this.

CC: (none) => boklm

Comment 4 Jani Välimaa 2013-06-15 18:53:39 CEST 
This is (or was) also a regression when moving for example from gdm to lightdm.

IIUC gdm allows logins with an empty passwd as it uses system-auth pam config when authenticating user and 'nullok' is also used there.
Comment 5 Dave Hodgins 2013-06-19 02:15:37 CEST 
Nicolas, Jani, what do you think. Push or no?  Perhaps add a README.update.urpmi
with a warning of the change?

CC: (none) => davidwhodgins

Comment 6 Nicolas Vigier 2013-06-19 02:33:15 CEST 
I think we should not make this kind of change in an update, even with a README.update.urpmi warning.

Allowing empty passwords when it was not allowed initially can be a security issue.
Comment 7 Dave Hodgins 2013-06-19 03:06:54 CEST 
Removing the validated_update keyword.

Keywords: validated_update => (none)

Comment 8 Jani Välimaa 2013-06-19 18:17:02 CEST 
If this update is not going to be pushed, then please remove it from core/updates_testing. Don't forget the source rpm.
Comment 9 claire robinson 2013-06-26 17:38:06 CEST 
pterjan removed lightdm from 3 core/updates_testing today so closing this one.

Status: NEW => RESOLVED
Resolution: (none) => WONTFIX

Nicolas Vigier 2014-05-08 18:06:18 CEST

CC: boklm => (none)