The other day, I noticed a strange bug. If there are several users on elementaryOS, then when authenticating the 2nd user, you can use the password from the first one. This doesn't work on the login screen or in terminal, when I running "sudo su", but works when upgraded in AppCenter or when pantheon-files are opened in Administrator mode. Here's a detailed explanation of how it all works:
Test: first account, account type - administrator, exists in sudo group, password - qwerty
Test2: second account, account type - standard, doesn't exists in sudo group, password - 123456
I can press "unlock", enter the password from the first account "qwerty" (But, I'm sitting from the second account!?), and I'll get more permissions (root).
I ran tests on two PCs: first PC - my main computer, and on second PC, elementaryOS was installed from scratch. On both PCs installed elementaryOS 0.4.1 stable. With all the upgrades. This bug appeared on both machines. This does not give any advantages to attackers, because it still requires a password, but this is an unpleasant problem that should not be.
PC specs:
Thanks for attention, I hope this problem will be solved :)