xlockmore - serious security issue
Anish Mistry
amistry at am-productions.biz
Sat Jan 13 22:15:47 UTC 2007
On Saturday 13 January 2007 14:19, Andrew Pantyukhin wrote:
> On 6/14/06, Simon L. Nielsen <simon at freebsd.org> wrote:
> > On 2006.06.13 18:51:48 +0400, Andrew Pantyukhin wrote:
> > > On 6/13/06, Anish Mistry <amistry at am-productions.biz> wrote:
> > > >On Tuesday 13 June 2006 07:54, Andrew Pantyukhin wrote:
> > > >> On 6/13/06, Anton Berezin <tobez at tobez.org> wrote:
> > > >> > On Tue, Jun 13, 2006 at 03:18:16PM +0400, Andrew Pantyukhin
wrote:
> > > >> > > The problem is that xlockmore exits all by itself when
> > > >> > > left alone for a couple of days. It works all right
> > > >> > > overnight, but when left for the weekend, it almost
> > > >> > > certainly fails. I just come to work and see that my
> > > >> > > workstation is unlocked, what a surprise.
> >
> > [...]
> >
> > > >I just stick with a blank screen and works fine for several
> > > > weeks at a time. I found some of the GL screensavers to
> > > > cause problems.
> > >
> > > Ask me - we should mark this port forbidden and/or make
> > > and entry in vuxml until we resolve this issue. Let's make
> > > blank screen the default behavior or something. To leave
> > > this as is is unacceptable.
> >
> > FORBIDDEN and a VuXML entry seems in a way a bit overkill to me
> > seems a bit overkill to me, since it's not really a
> > vulnerability, but I'm open to input.
> >
> > As mentioned by others, xlockmore is fundamentally flawed
> > wrt. guaranteeing that the screen stays locked in that the
> > screensavers code can kill the lock, which it should not be able
> > to happen.
> >
> > Has anyone contacted the xlockmore author for comment on this
> > issue?
> >
> > One thing we could do right now is to add a message at install
> > time warning that xlockmore might unlock the screen (a bit like
> > the Pine warning).
>
> High time we settled on something.
>
> Now that we had this discussion, I only use the swarm
> mode and never had any problems with it. But what
> about those who still don't know about the issues?
> I've been in situations where accidental unlocking
> was unacceptable. In most cases unlocking implies
> immediate root access to the local machine (which
> is also possible, but more complicated, with plain
> physical access), but more importantly - decrypted
> auth info in RAM, such as ssh keys. This is a major
> security breach. IMHO, we can't overestimate it.
>
> I'm quite sure an ignorable/overlookable message is
> not enough. A user must fully understand all the
> implications of this software being used. If it's
> fundamentally flawed, let's forbid/remove it _until_
> the author has a statement for us, not after that.
I think adding a VuXML entry should be added, the port should then be
updated to allow only the know good modes (blank and swarm so far are
fine). Then see if we get a response from the author, and/or try to
debug the problem ourselves.
--
Anish Mistry
amistry at am-productions.biz
AM Productions http://am-productions.biz/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-ports/attachments/20070113/4bb8199f/attachment.pgp
More information about the freebsd-ports
mailing list