Page 1 of 1

autologin enabled by update?

Posted: Thu Apr 25, 2019 10:31 pm
by HankB
I've updated a couple Pis lately and found that autologin to the user pi is enabled afterwards. I think this is a Really Bad idea from a security standpoint. First of all, I don't typically use the user 'pi.' I use the same user name I've been using for decades on Unix, AIX, Solaris and more recently on Linux. Secondly I only use autologin where I need it (e.g. for a system that auto plays video for example.)

I really wish that whoever considered this to be a good idea would reconsider.

Thanks!

Re: autologin enabled by update?

Posted: Thu Apr 25, 2019 11:09 pm
by Andyroo
I did an install and update this afternoon and had to enable auto logon.

Was this command line or GUI user?

I used the latest Stretch on a Zero W and could build another image in the next couple of days if you let me know the version etc you where on.

Re: autologin enabled by update?

Posted: Thu Apr 25, 2019 11:34 pm
by HankB
This is a GUI install.
I haven't noticed this on any non-GUI installs (e.g. Stretch Lite) but I usually run those headless and might not even notice.

Edit: This was on an installation that hadn't been updated in several months. A test case might be to install one of the older versions, disable autologin via `raspi-config` and then update to current.

Edit: I just reproduced it. I started with an installation that was Raspbian Jessie (not lite) last updated December 2017 and with the only user 'pi'.
  • It did not autologin. I logged in but the desktop was unusable since no menu came up. Switch to a text console and run `raspi-config` to set desktop to boot to GUI without autologin.
  • Ran 'apt update' and 'apt upgrade'. I ran this from a text console since the 'pi' desktop was messed up.
  • Following reboot, desktop did not autologin.
  • Logged in to text console as 'pi' and added user 'hbarta.' Rebooted to get back to login screen.
  • Logged in as `hbarta'
  • Edited sources.list and sources.list.d/raspi.list to use Stretch repos.
  • Ran `apt update` and `apt upgrade` and `apt dist-upgrade` and rebooted.
  • Following reboot system came up and logged into GUI as user 'pi'
At this point I do not know if it was the update alone or the update as user 'hbarta' that resulted in the return of autologin.

I'll test again with Stretch (2017-09-07) to see if it does it when logged in as 'pi.'

Test complete with Stretch 2017-09-07 -> current.
  • Installed 2017-09-07 version of Raspbian Stretch
  • Use `raspi-config` to set boot option to "Desktop"
  • Reboot and confirm boot to display manager (not logged in.)
  • Login and 'apt update', 'apt upgrade' and 'apt dist-upgrade.'
  • Reboot
  • Confirm that user 'pi' is automatically logged in to a graphical desktop.
In other words, it had nothing to do with performing the update logged in as 'hbarta' (and sudo to root.)

Edit.2 I just repeated the second test (update an earlier version of Stretch to current.) I recalled being asked about whether to update or preserve a lot of configuration files. My tendency in these cases is to go with the new configuration file unless I recall having modified the old one. I recall one of these was for the login screen (lightdm.) It occurred to me that selecting the new one might revert some setting back to the default (autologin 'pi.') However this upgrade asked no questions. It was the upgrade from Jessie to Stretch that involved a lot of config file updates. Optional config file update is not an issue with this behavior.

Re: autologin enabled by update?

Posted: Fri Apr 26, 2019 5:11 pm
by fbe
HankB wrote:
Thu Apr 25, 2019 10:31 pm
I really wish that whoever considered this to be a good idea would reconsider.

Thanks!
The pi-greeter package is the troublemaker.

Re: autologin enabled by update?

Posted: Fri Apr 26, 2019 5:53 pm
by Andyroo
There was a mod in November last year to set a user if not defined.

Strange I’ve set up a few since then and updated more but never noticed. I’m tempted to check how many auto-logon now as I’m bound to have missed not turning it off when I’ve set up SSH certificates.

Time to review the set up notes :cry:

Re: autologin enabled by update?

Posted: Fri Apr 26, 2019 6:09 pm
by HawaiianPi
HankB wrote:
Thu Apr 25, 2019 11:34 pm
Edit: This was on an installation that hadn't been updated in several months.
Yea, that happened awhile ago. I forget which specific update it was, but I remember that. Even with the pi user account locked the auto login worked. Mildly annoying, but it only happened with one particular update and hasn't happened since.

Re: autologin enabled by update?

Posted: Fri Apr 26, 2019 6:21 pm
by fbe
Andyroo wrote:
Fri Apr 26, 2019 5:53 pm
There was a mod in November last year to set a user if not defined.

Strange I’ve set up a few since then and updated more but never noticed.
This may come from the wizard that runs on first start to configure localisation settings and password. It also does an upgrade of all packages. If you do the update before you disable auto-login, you won't notice anything. If you install the image from November 2018 and omit the updates by the wizard, you may notice it later.

The pi-greeter package can be removed (the lightdm-gtk-greeter will be used instead).

Re: autologin enabled by update?

Posted: Fri Apr 26, 2019 9:21 pm
by HankB
Thanks, looks like I'm late to the party suggesting it not be done that way. It looks like it was already changed. Nevertheless I think I'll remove the pi-greeter just to be certain.

Re: autologin enabled by update?

Posted: Fri Apr 26, 2019 10:17 pm
by andrum99
This is a really bad idea. This should not happen on existing installs. If Pi really want to force people to use the new default of autologin, then at the very least it needs to be flagged up when the Pi is updated and the package that triggers it is installed. Did you update using the GUI or the command line? If GUI, there may have been a warning that is only shown on the command line.

Re: autologin enabled by update?

Posted: Fri Apr 26, 2019 11:20 pm
by HawaiianPi
andrum99 wrote:
Fri Apr 26, 2019 10:17 pm
This is a really bad idea. This should not happen on existing installs. If Pi really want to force people to use the new default of autologin...
Pretty sure it wasn't done on purpose.

Re: autologin enabled by update?

Posted: Sat Apr 27, 2019 11:35 am
by andrum99
HawaiianPi wrote:
Fri Apr 26, 2019 11:20 pm
andrum99 wrote:
Fri Apr 26, 2019 10:17 pm
This is a really bad idea. This should not happen on existing installs. If Pi really want to force people to use the new default of autologin...
Pretty sure it wasn't done on purpose.
On reflection I think you're probably correct.