Re: [gdm-list] [PATCH 1/3] Support --no-lock option in gdmflexiserver when launching new session

["Dan Nicholson" <dbn lists gmail com>]

On Sun, Oct 12, 2008 at 7:11 PM, Matthias Clasen
<matthias clasen gmail com> wrote:
> On Sun, Oct 12, 2008 at 7:46 PM, Dan Nicholson <dbn lists gmail com> wrote:
>> When launching a new login session via gdmflexiserver, the -l or
>> --no-lock switch can be used to suppress locking of the current session.
>> gdm_user_manager_goto_login_session() has been adapted to take a boolean
>> parameter controlling whether to call gdmflexiserver with this switch.
>
> Why would you ever want to not lock the current session ?

I filed bug 559623 so this would not be forgotten. I reworked the
patches a bit, too, and now a toggle menu item is used instead of a
full preferences dialog. I thought again about this question, and I
think it's very valid to not lock the session when using the switch
applet. Quoting from the bug:

Consider the occasion where you can actually access the user switch applet:

The switch applet can only be used when there is currently an unlocked
session running. Sometimes it may be your session that you're sitting
in front of and choosing to switch to another, but more often it is
that you have left your session running and another user wants to
switch to their session. In that case, a malicious user already has
full access to your session, and you've lost.

If you're concerned about that situation, then you've locked the
screen when you've walked away already. If you're not concerned about
that situation because you trust all the other users on the system,
then locking the screen only serves to slow down the fast user
switching experience and may lead to you providing your password to
someone else if the need arises to switch back to the original
session. So, I would say that having the applet lock the screen does
not significantly increase security.

--
Dan