Arch Linux

zw963

Member

Registered: 2018-06-18

Posts: 200

[Solved] serious security risk if suspend directly on GNOME+Wayland

I use GNOME + Wayland + GDM.

When i suspend directly in command line use `systemctl suspend`, or more general, i close my laptop lid directly to make it suspend(i setting it),
will result in a very serial security risk, following is reproduce:

1.  When i open my laptop lid try to wake up from suspend, after the screen is bright the first time, i can see the last screen before i suspend, keep several seconds.
     This security risk cause all the private content in my laptop expose to everyone even not need output password.

2.  after 4~5 seconds,  screenshot is black and then bright again, we can see the user login window.

3. it possible black again, i need pressing a key in keyboard to make login window bright again.

As you can see, the really issue is step 1, before use input password,  User data is leaked from laptop screen for 4~5 seconds, those time anyone can use a camera
to copy all my private data, that really a issue.

How to workaround this?

I have to lock screen manually, until wait lock screen successful, then close my laptop lid, no user data leaked.

Following is my package version info:

 ╰─ $ pacman -Q |grep 'gnome-\|gdm\|xorg'

chrome-gnome-shell 10.1-8
gdm 42.0+r11+g4a52f026-1
gnome-autoar 0.4.3-2
gnome-backgrounds 42.0-1
gnome-bluetooth-3.0 42.1-1
gnome-books 40.0-1
gnome-boxes 42.2-1
gnome-calculator 42.2-1
gnome-calendar 42.2-1
gnome-characters 42.0-1
gnome-clocks 42.0-1
gnome-color-manager 3.36.0+r25+g4aab8b59-1
gnome-contacts 42.0-1
gnome-control-center 42.3-1
gnome-desktop 1:42.2-1
gnome-desktop-4 1:42.2-1
gnome-desktop-common 1:42.2-1
gnome-disk-utility 42.0-1
gnome-epub-thumbnailer 1.6-2
gnome-font-viewer 42.0-1
gnome-keyring 1:42.1-1
gnome-logs 42.0-1
gnome-maps 42.3-1
gnome-menus 3.36.0-1
gnome-music 1:42.1-1
gnome-online-accounts 3.44.0-1
gnome-photos 1:42.0-1
gnome-remote-desktop 42.3-1
gnome-screenshot 41.0+r25+g45f08f0-1
gnome-session 42.0-1
gnome-settings-daemon 42.2-1
gnome-shell 1:42.3.1-1
gnome-shell-extension-appindicator 42-1
gnome-shell-extensions 42.3-1
gnome-software 42.3-1
gnome-system-monitor 42.0-1
gnome-terminal 3.44.1-1
gnome-tweaks 42beta+r9+gc66d8c3-1
gnome-usage 3.38.1-1
gnome-user-docs 42.0-1
gnome-user-share 3.34.0-2
gnome-video-effects 0.5.0+4+g9554041-2
gnome-weather 42.0-1
libgdm 42.0+r11+g4a52f026-1
xorg-fonts-encodings 1.0.5-2
xorg-mkfontscale 1.2.2-1
xorg-server 21.1.3-7
xorg-server-common 21.1.3-7
xorg-server-xvfb 21.1.3-7
xorg-setxkbmap 1.3.3-1
xorg-xauth 1.1.2-1
xorg-xhost 1.0.8-3
xorg-xkbcomp 1.4.5-1
xorg-xmodmap 1.0.10-3
xorg-xprop 1.2.5-1
xorg-xrandr 1.5.1-2
xorg-xrdb 1.2.1-1
xorg-xset 1.2.4-3
xorg-xwayland 22.1.2-1
xorgproto 2022.1-1

Thank you.

Last edited by zw963 (2022-09-10 15:35:27)

seth

Member

Registered: 2012-09-03

Posts: 50,924

Re: [Solved] serious security risk if suspend directly on GNOME+Wayland

"serious" - though you're accidentally right - this is a "serial" risk, too…
https://bugzilla.redhat.com/show_bug.cgi?id=713640

Also recently new, https://gitlab.gnome.org/GNOME/gnome-sh … ssues/3736 - supposed to be fixed by I guess only "one aspect of it"
This links https://github.com/solus-project/budgie … -450849019 which will hopefully delay the suspend enough to allow GDM to lock the screen before you enter the S3

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

zw963

Member

Registered: 2018-06-18

Posts: 200

Re: [Solved] serious security risk if suspend directly on GNOME+Wayland

This links https://github.com/solus-project/budgie … -450849019 which will hopefully delay the suspend enough to allow GDM to lock the screen before you enter the S3

This workaround works for me after restart my laotop, thank you.

seth

Member

Registered: 2012-09-03

Posts: 50,924

Re: [Solved] serious security risk if suspend directly on GNOME+Wayland

Great to hear.

Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

zw963

Member

Registered: 2018-06-18

Posts: 200

Re: [Solved] serious security risk if suspend directly on GNOME+Wayland

Great to hear.

Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

Sorry for late, i don't think this issue is solved, because this just a workaround, and in rare special cases, the delay time probably not enough, this issue still happen again.

seth

Member

Registered: 2012-09-03

Posts: 50,924

Re: [Solved] serious security risk if suspend directly on GNOME+Wayland

Given this is a systematic issue that existed with gnome/GDM for more than a decade, the only reliable solution is to not use GNOME or GDM
*shrug*

---

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc