Bug 10439 - Update request: lightdm
Summary: Update request: lightdm
Status: RESOLVED WONTFIX
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 3
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA3-32-OK, MGA3-64-OK
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-05 19:26 CEST by Jani Välimaa
Modified: 2014-05-08 18:06 CEST (History)
3 users (show)

See Also:
Source RPM: lightdm-1.4.1-2.1.mga3
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Jani Välimaa 2013-06-05 19:26:20 CEST 
Current lightdm in mga3 doesn't allow logins with empty password (see bug 10416). New release fixes this behavior.

Please test this new release [1] in core/updates_testing.

Test case:
1. Create new user or use existing.
2. Delete password with 'passwd <user> -d'.
3. Try to login with lightdm with empty passwd.
4. See it failing.
5. Update lightdm from core/updates_testing.
6. Login and see it working.

[1] lightdm-1.4.1-2.1.mga3

Reproducible: 

Steps to Reproduce:
Comment 1 Derek Jennings 2013-06-05 20:57:22 CEST 
Confirmed works as described in the test procedure
Tested lightdm-1.4.1-2.1.mga3.i586  using Razor-qt frontend to lightdm

Also confirmed that users with password can log in as normal, and that invalid passwords are rejected.

CC: (none) => derekjenn
Whiteboard: (none) => MGA3-32-OK

Comment 2 Derek Jennings 2013-06-06 01:52:04 CEST 
Testing completed on x88_64 (using lightdm-gtk-greeter as front end)
all worked as expected.

Testing now complete, validated.

SRPM: lightdm-1.4.1-2.1.mga3.src.rpm

Advisory
--------
This update allows users with empty passwords to log in with lightdm.





Could sysadmin please push from core/updates_testing to core/updates.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA3-32-OK => MGA3-32-OK, MGA3-64-OK

Comment 3 Nicolas Vigier 2013-06-13 01:30:05 CEST 
Hmm, I'm not sure that changing this in a stable release update is a good idea. Some people might not want to allow people with empty password to log in, and they won't be happy if an update suddenly change this.

CC: (none) => boklm

Comment 4 Jani Välimaa 2013-06-15 18:53:39 CEST 
This is (or was) also a regression when moving for example from gdm to lightdm.

IIUC gdm allows logins with an empty passwd as it uses system-auth pam config when authenticating user and 'nullok' is also used there.
Comment 5 Dave Hodgins 2013-06-19 02:15:37 CEST 
Nicolas, Jani, what do you think. Push or no?  Perhaps add a README.update.urpmi
with a warning of the change?

CC: (none) => davidwhodgins

Comment 6 Nicolas Vigier 2013-06-19 02:33:15 CEST 
I think we should not make this kind of change in an update, even with a README.update.urpmi warning.

Allowing empty passwords when it was not allowed initially can be a security issue.
Comment 7 Dave Hodgins 2013-06-19 03:06:54 CEST 
Removing the validated_update keyword.

Keywords: validated_update => (none)

Comment 8 Jani Välimaa 2013-06-19 18:17:02 CEST 
If this update is not going to be pushed, then please remove it from core/updates_testing. Don't forget the source rpm.
Comment 9 claire robinson 2013-06-26 17:38:06 CEST 
pterjan removed lightdm from 3 core/updates_testing today so closing this one.

Status: NEW => RESOLVED
Resolution: (none) => WONTFIX

Nicolas Vigier 2014-05-08 18:06:18 CEST

CC: boklm => (none)
Note You need to log in before you can comment on or make changes to this bug.