HankB
Posts: 125
Joined: Fri Jan 01, 2016 2:45 pm

autologin enabled by update?

Thu Apr 25, 2019 10:31 pm

I've updated a couple Pis lately and found that autologin to the user pi is enabled afterwards. I think this is a Really Bad idea from a security standpoint. First of all, I don't typically use the user 'pi.' I use the same user name I've been using for decades on Unix, AIX, Solaris and more recently on Linux. Secondly I only use autologin where I need it (e.g. for a system that auto plays video for example.)

I really wish that whoever considered this to be a good idea would reconsider.

Thanks!

Andyroo

Re: autologin enabled by update?

Thu Apr 25, 2019 11:09 pm

I did an install and update this afternoon and had to enable auto logon.

Was this command line or GUI user?

I used the latest Stretch on a Zero W and could build another image in the next couple of days if you let me know the version etc you where on.

HankB
Posts: 125
Joined: Fri Jan 01, 2016 2:45 pm

Re: autologin enabled by update?

Thu Apr 25, 2019 11:34 pm

This is a GUI install.
I haven't noticed this on any non-GUI installs (e.g. Stretch Lite) but I usually run those headless and might not even notice.

Edit: This was on an installation that hadn't been updated in several months. A test case might be to install one of the older versions, disable autologin via `raspi-config` and then update to current.

Edit: I just reproduced it. I started with an installation that was Raspbian Jessie (not lite) last updated December 2017 and with the only user 'pi'.
  • It did not autologin. I logged in but the desktop was unusable since no menu came up. Switch to a text console and run `raspi-config` to set desktop to boot to GUI without autologin.
  • Ran 'apt update' and 'apt upgrade'. I ran this from a text console since the 'pi' desktop was messed up.
  • Following reboot, desktop did not autologin.
  • Logged in to text console as 'pi' and added user 'hbarta.' Rebooted to get back to login screen.
  • Logged in as `hbarta'
  • Edited sources.list and sources.list.d/raspi.list to use Stretch repos.
  • Ran `apt update` and `apt upgrade` and `apt dist-upgrade` and rebooted.
  • Following reboot system came up and logged into GUI as user 'pi'
At this point I do not know if it was the update alone or the update as user 'hbarta' that resulted in the return of autologin.

I'll test again with Stretch (2017-09-07) to see if it does it when logged in as 'pi.'

Test complete with Stretch 2017-09-07 -> current.
  • Installed 2017-09-07 version of Raspbian Stretch
  • Use `raspi-config` to set boot option to "Desktop"
  • Reboot and confirm boot to display manager (not logged in.)
  • Login and 'apt update', 'apt upgrade' and 'apt dist-upgrade.'
  • Reboot
  • Confirm that user 'pi' is automatically logged in to a graphical desktop.
In other words, it had nothing to do with performing the update logged in as 'hbarta' (and sudo to root.)

Edit.2 I just repeated the second test (update an earlier version of Stretch to current.) I recalled being asked about whether to update or preserve a lot of configuration files. My tendency in these cases is to go with the new configuration file unless I recall having modified the old one. I recall one of these was for the login screen (lightdm.) It occurred to me that selecting the new one might revert some setting back to the default (autologin 'pi.') However this upgrade asked no questions. It was the upgrade from Jessie to Stretch that involved a lot of config file updates. Optional config file update is not an issue with this behavior.

fbe
Posts: 540
Joined: Thu Aug 17, 2017 9:08 pm

Re: autologin enabled by update?

Fri Apr 26, 2019 5:11 pm

HankB wrote:
Thu Apr 25, 2019 10:31 pm
I really wish that whoever considered this to be a good idea would reconsider.

Thanks!
The pi-greeter package is the troublemaker.

Andyroo

Re: autologin enabled by update?

Fri Apr 26, 2019 5:53 pm

There was a mod in November last year to set a user if not defined.

Strange I’ve set up a few since then and updated more but never noticed. I’m tempted to check how many auto-logon now as I’m bound to have missed not turning it off when I’ve set up SSH certificates.

Time to review the set up notes :cry:

User avatar
HawaiianPi
Posts: 4867
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: autologin enabled by update?

Fri Apr 26, 2019 6:09 pm

HankB wrote:
Thu Apr 25, 2019 11:34 pm
Edit: This was on an installation that hadn't been updated in several months.
Yea, that happened awhile ago. I forget which specific update it was, but I remember that. Even with the pi user account locked the auto login worked. Mildly annoying, but it only happened with one particular update and hasn't happened since.
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

fbe
Posts: 540
Joined: Thu Aug 17, 2017 9:08 pm

Re: autologin enabled by update?

Fri Apr 26, 2019 6:21 pm

Andyroo wrote:
Fri Apr 26, 2019 5:53 pm
There was a mod in November last year to set a user if not defined.

Strange I’ve set up a few since then and updated more but never noticed.
This may come from the wizard that runs on first start to configure localisation settings and password. It also does an upgrade of all packages. If you do the update before you disable auto-login, you won't notice anything. If you install the image from November 2018 and omit the updates by the wizard, you may notice it later.

The pi-greeter package can be removed (the lightdm-gtk-greeter will be used instead).

HankB
Posts: 125
Joined: Fri Jan 01, 2016 2:45 pm

Re: autologin enabled by update?

Fri Apr 26, 2019 9:21 pm

Thanks, looks like I'm late to the party suggesting it not be done that way. It looks like it was already changed. Nevertheless I think I'll remove the pi-greeter just to be certain.

andrum99
Posts: 927
Joined: Fri Jul 20, 2012 2:41 pm

Re: autologin enabled by update?

Fri Apr 26, 2019 10:17 pm

This is a really bad idea. This should not happen on existing installs. If Pi really want to force people to use the new default of autologin, then at the very least it needs to be flagged up when the Pi is updated and the package that triggers it is installed. Did you update using the GUI or the command line? If GUI, there may have been a warning that is only shown on the command line.

User avatar
HawaiianPi
Posts: 4867
Joined: Mon Apr 08, 2013 4:53 am
Location: Aloha, Oregon USA

Re: autologin enabled by update?

Fri Apr 26, 2019 11:20 pm

andrum99 wrote:
Fri Apr 26, 2019 10:17 pm
This is a really bad idea. This should not happen on existing installs. If Pi really want to force people to use the new default of autologin...
Pretty sure it wasn't done on purpose.
My mind is like a browser. 27 tabs are open, 9 aren't responding,
lots of pop-ups...and where is that annoying music coming from?

andrum99
Posts: 927
Joined: Fri Jul 20, 2012 2:41 pm

Re: autologin enabled by update?

Sat Apr 27, 2019 11:35 am

HawaiianPi wrote:
Fri Apr 26, 2019 11:20 pm
andrum99 wrote:
Fri Apr 26, 2019 10:17 pm
This is a really bad idea. This should not happen on existing installs. If Pi really want to force people to use the new default of autologin...
Pretty sure it wasn't done on purpose.
On reflection I think you're probably correct.

Return to “General discussion”