xscreensaver bug?

Terry Lambert tlambert2 at mindspring.com
Fri Nov 14 01:19:50 PST 2003


Craig Boston wrote:
> > Absolutely worst case, the root user could log in remotely, gdb
> > your screen saver, type "foobar" as the password, and then hack
> > the authentication function return value to say "yes, that's the
> > correct password for "jqdkf at army.com", and get in without needing
> > to have xscreensaver accept the root password.
> 
> Or, even easier, log in remotely as root and simply "killall -9 xscreensaver".
> I've had to do that a few times myself when I first tried out pam_krb5 and
> learned the hard way that xscreensaver doesn't like it very much (and my user
> account has * in the local password field).

I've seen a kill of xscreensaver using a nontrappable signal leave
the focus permanently hosed (until the X server is restarted); not
very useful, if you want to poke around in the active session.

-- Terry


More information about the freebsd-current mailing list