Bug 140515

Summary: Security: if DPMS power off time shorter than screensaver time: no lock screen
Product: [openSUSE] SUSE Linux 10.1 Reporter: Danny Al-Gaaf <dalgaaf>
Component: X.OrgAssignee: Stefan Dirsch <sndirsch>
Status: RESOLVED FIXED QA Contact: Stefan Dirsch <sndirsch>
Severity: Normal    
Priority: P5 - None CC: kde-maintainers, security-team
Version: Alpha 4   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Danny Al-Gaaf 2005-12-21 14:34:04 UTC 
If you set the time for DPMS power off in the kde control center (Peripherals->Display->Power Control) shorter (e.g. 1 min) than the time for start screen saver (Appearance & Themes->Screensaver) (e.g. 2 min and for lock screen 1 sec) the screen is never locked after DPMS shut down your display and everybody can use your desktop session.  

This should not happen. IMO this is a bug in KDE and not a general problem, because this work with KPowersave (enable DPMS, close lid event, locked screen --> works perfect).
Comment 1 Stephan Kulow 2006-01-09 16:59:35 UTC 
hmm, because the screensaver is DPMS sensitive, e.g. it won't activate the saver when there is DPMS running (or stop it when it's already running). Which is ok for a screensaver, but obviously not for a locker. 

So the screensaver needs to be started independent of DPMS if it's a locker - but then stopped immeditately.
Comment 2 Lubos Lunak 2006-01-10 14:29:11 UTC 
Fixed in KDE SVN. The problem was actually DPMS for some reason breaking the reporting of idle time by the screensaver X extension.

Hmm. Why exactly is this very unusual setup a blocker?
Comment 3 Danny Al-Gaaf 2006-01-10 14:45:32 UTC 
This is for me a blocker, because this is a security bug. If you trust the current settings you expect that your screen lock and nobody can access your desktop. Btw. THX for the fix.
Comment 4 Dirk Mueller 2006-01-10 14:47:52 UTC 
well, still sounds like an underlying X.org bug to me.
Comment 5 Stefan Dirsch 2006-01-10 15:03:39 UTC 
But this is no longer a blocker.
Comment 6 Lubos Lunak 2006-01-10 15:26:31 UTC 
Actually, after creating a testcase to demostrate the X problem it turned out that the X screensaver extension eventually decides to report correct idle time after some delay, so it was the DPMS checking code in KDE blocking the locker. I've fixed that already too, in KDE SVN.

So unless somebody feels like doing an update or something for the case of a user more or less misconfiguring their system, I consider this closed, will be fixed with SL10.1.
Comment 7 Stephan Kulow 2006-01-10 16:22:26 UTC 
agreed