Date: Thu, 13 Nov 2003 08:44:44 -0800 From: "Eugene M. Kim" <ab@astralblue.net> To: Terry Lambert <tlambert2@mindspring.com> Cc: current@freebsd.org Subject: Re: xscreensaver bug? Message-ID: <3FB3B4FB.1050304@astralblue.net> In-Reply-To: <3FB3758A.9B52625D@mindspring.com> References: <20031112091032.GA4425@cactus> <3FB3758A.9B52625D@mindspring.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Terry Lambert wrote: >jqdkf@army.com wrote: > >>I'm new in FreeBSD. I found that after I lock screen with xscreensaver, >>I can unlock it with the root's password as well as my normal user's >>password. I don't think it is a good thing. Is it a bug? >> > >It is intentional, although you can eliminate it with a recompile >of the xscreensaver code, with the right options set. > Wouldn't this lead to another security hazard, if a user compile his own hacked xscreensaver which captures and stashes the password into a file then runs it and leaves the terminal intentionally, `baiting' root? :o Although I can see the merit of this `feature', I think sysadmins should stay away from using it in general. `su -m thatuser -c "killall xscreensaver"' seems to be far safer. Eugene
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FB3B4FB.1050304>