From owner-freebsd-current@FreeBSD.ORG  Fri Nov 14 01:19:50 2003
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A314E16A4CE
	for <current@freebsd.org>; Fri, 14 Nov 2003 01:19:50 -0800 (PST)
Received: from stork.mail.pas.earthlink.net (stork.mail.pas.earthlink.net
	[207.217.120.188])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DB3C143FE1
	for <current@freebsd.org>; Fri, 14 Nov 2003 01:19:49 -0800 (PST)
	(envelope-from tlambert2@mindspring.com)
Received: from user-38lc14c.dialup.mindspring.com ([209.86.4.140]
	helo=mindspring.com)
	by stork.mail.pas.earthlink.net with asmtp (SSLv3:RC4-MD5:128)
	(Exim 3.33 #1)	id 1AKa6N-0005bX-00; Fri, 14 Nov 2003 01:18:52 -0800
Message-ID: <3FB49DBC.C5FB385A@mindspring.com>
Date: Fri, 14 Nov 2003 01:17:48 -0800
From: Terry Lambert <tlambert2@mindspring.com>
X-Mailer: Mozilla 4.79 [en] (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: Craig Boston <craig@xfoil.gank.org>
References: <20031112091032.GA4425@cactus> <3FB3758A.9B52625D@mindspring.com>
	<200311130817.41809.craig@xfoil.gank.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a4c880d92af1d1fd30992eb525ff67aec4667c3043c0873f7e350badd9bab72f9c350badd9bab72f9c
cc: current@freebsd.org
Subject: Re: xscreensaver bug?
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Nov 2003 09:19:50 -0000

Craig Boston wrote:
> > Absolutely worst case, the root user could log in remotely, gdb
> > your screen saver, type "foobar" as the password, and then hack
> > the authentication function return value to say "yes, that's the
> > correct password for "jqdkf@army.com", and get in without needing
> > to have xscreensaver accept the root password.
> 
> Or, even easier, log in remotely as root and simply "killall -9 xscreensaver".
> I've had to do that a few times myself when I first tried out pam_krb5 and
> learned the hard way that xscreensaver doesn't like it very much (and my user
> account has * in the local password field).

I've seen a kill of xscreensaver using a nontrappable signal leave
the focus permanently hosed (until the X server is restarted); not
very useful, if you want to poke around in the active session.

-- Terry