xscreensaver bug?

Terry Lambert tlambert2 at mindspring.com
Fri Nov 14 01:32:43 PST 2003


"Eugene M. Kim" wrote:
> Terry Lambert wrote:
> >>I'm new in FreeBSD. I found that after I lock screen with xscreensaver,
> >>I can unlock it with the root's password as well as my normal user's
> >>password. I don't think it is a good thing. Is it a bug?
> >
> >It is intentional, although you can eliminate it with a recompile
> >of the xscreensaver code, with the right options set.
> 
> Wouldn't this lead to another security hazard, if a user compile his own
> hacked xscreensaver which captures and stashes the password into a file
> then runs it and leaves the terminal intentionally, `baiting' root? :o

Not really.  This type of thing would need to accept pretty much
everything as a termination password, since there no password it
can legitimately validate, since a user compiled trojan like this
would not have access to the password database contents in order
to perform validation.

If the trojan is SUID, then they already have root, and don't need
the trojan.

Either way, there's no risk to just typing whatever crap you want
to at it, including a message calling the user an idiot, the first
time, to see if it's going to let you in without you giving it the
real root password.


> Although I can see the merit of this `feature', I think sysadmins should
> stay away from using it in general.  `su -m thatuser -c "killall
> xscreensaver"' seems to be far safer.

See other post.  You can permanently lose focus this way, effectively
locking up the machine.  If you want to be that draconian, you might
as well just reset the session, rather than screwing around with the
vagaries of XGrabCursor, etc..

-- Terry


More information about the freebsd-current mailing list