xscreensaver bug?

Craig Boston craig at xfoil.gank.org
Thu Nov 13 06:17:48 PST 2003


> Absolutely worst case, the root user could log in remotely, gdb
> your screen saver, type "foobar" as the password, and then hack
> the authentication function return value to say "yes, that's the
> correct password for "jqdkf at army.com", and get in without needing
> to have xscreensaver accept the root password.

Or, even easier, log in remotely as root and simply "killall -9 xscreensaver".
I've had to do that a few times myself when I first tried out pam_krb5 and 
learned the hard way that xscreensaver doesn't like it very much (and my user 
account has * in the local password field).

Craig



More information about the freebsd-current mailing list