Date: Fri, 14 Nov 2003 01:29:57 -0800 From: Terry Lambert <tlambert2@mindspring.com> To: "Eugene M. Kim" <ab@astralblue.net> Cc: current@freebsd.org Subject: Re: xscreensaver bug? Message-ID: <3FB4A095.AF27549F@mindspring.com> References: <20031112091032.GA4425@cactus> <3FB3758A.9B52625D@mindspring.com> <3FB3B4FB.1050304@astralblue.net>
next in thread | previous in thread | raw e-mail | index | archive | help
"Eugene M. Kim" wrote: > Terry Lambert wrote: > >>I'm new in FreeBSD. I found that after I lock screen with xscreensaver, > >>I can unlock it with the root's password as well as my normal user's > >>password. I don't think it is a good thing. Is it a bug? > > > >It is intentional, although you can eliminate it with a recompile > >of the xscreensaver code, with the right options set. > > Wouldn't this lead to another security hazard, if a user compile his own > hacked xscreensaver which captures and stashes the password into a file > then runs it and leaves the terminal intentionally, `baiting' root? :o Not really. This type of thing would need to accept pretty much everything as a termination password, since there no password it can legitimately validate, since a user compiled trojan like this would not have access to the password database contents in order to perform validation. If the trojan is SUID, then they already have root, and don't need the trojan. Either way, there's no risk to just typing whatever crap you want to at it, including a message calling the user an idiot, the first time, to see if it's going to let you in without you giving it the real root password. > Although I can see the merit of this `feature', I think sysadmins should > stay away from using it in general. `su -m thatuser -c "killall > xscreensaver"' seems to be far safer. See other post. You can permanently lose focus this way, effectively locking up the machine. If you want to be that draconian, you might as well just reset the session, rather than screwing around with the vagaries of XGrabCursor, etc.. -- Terry
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FB4A095.AF27549F>