xlockmore - serious security issue

Peter Jeremy peterjeremy at optushome.com.au
Sun Jan 14 18:28:47 UTC 2007 

[I'm not sure why this thread is being resurrected after 6 months]

On Sat, 2007-Jan-13 22:19:49 +0300, Andrew Pantyukhin wrote:
>On 6/14/06, Simon L. Nielsen <simon at freebsd.org> wrote:
>>On 2006.06.13 18:51:48 +0400, Andrew Pantyukhin wrote:
>>> On 6/13/06, Anish Mistry <amistry at am-productions.biz> wrote:
>>> >On Tuesday 13 June 2006 07:54, Andrew Pantyukhin wrote:
>>> >> On 6/13/06, Anton Berezin <tobez at tobez.org> wrote:
>>> >> > On Tue, Jun 13, 2006 at 03:18:16PM +0400, Andrew Pantyukhin wrote:
>>> >> > > The problem is that xlockmore exits all by itself when
>>> >> > > left alone for a couple of days. It works all right overnight,
>>> >> > > but when left for the weekend, it almost certainly fails. I
>>> >> > > just come to work and see that my workstation is unlocked,
>>> >> > > what a surprise.

I came across this problem several years ago.  I drive xlock from
another program (that records my working time) so I just modified my
calling program to loop until xlock exits normally.  As a result,
when xlock crashes, I see the unlocked screen flash and then relock.
That's good enough for me.

>Now that we had this discussion, I only use the swarm
>mode and never had any problems with it. But what
>about those who still don't know about the issues?

I agree that this would be an issue for some people.  It's not clear
to me that it's enough of an issue to forbid the port.

>I'm quite sure an ignorable/overlookable message is
>not enough.

This is a generic problem with the existing pkg_message approach.

> A user must fully understand all the
>implications of this software being used. If it's
>fundamentally flawed, let's forbid/remove it _until_
>the author has a statement for us, not after that.

As an alternative, how about we just install xlock in ${X11BASE}/libexec
and have ${X11BASE}/bin/xlock be something like:

#!/bin/sh
until ${X11BASE}/libexec/xlock "$@" ; do true; done

(Add error checking as necessary).
-- 
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20070114/d6563b95/attachment.pgp

More information about the freebsd-ports mailing list