From owner-freebsd-current@FreeBSD.ORG Fri Nov 14 01:32:43 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79A0E16A4CF for ; Fri, 14 Nov 2003 01:32:43 -0800 (PST) Received: from stork.mail.pas.earthlink.net (stork.mail.pas.earthlink.net [207.217.120.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5967F43FCB for ; Fri, 14 Nov 2003 01:32:42 -0800 (PST) (envelope-from tlambert2@mindspring.com) Received: from user-38lc14c.dialup.mindspring.com ([209.86.4.140] helo=mindspring.com) by stork.mail.pas.earthlink.net with asmtp (SSLv3:RC4-MD5:128) (Exim 3.33 #1) id 1AKaIG-0006pA-00; Fri, 14 Nov 2003 01:31:08 -0800 Message-ID: <3FB4A095.AF27549F@mindspring.com> Date: Fri, 14 Nov 2003 01:29:57 -0800 From: Terry Lambert X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "Eugene M. Kim" References: <20031112091032.GA4425@cactus> <3FB3758A.9B52625D@mindspring.com> <3FB3B4FB.1050304@astralblue.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ELNK-Trace: b1a02af9316fbb217a47c185c03b154d40683398e744b8a4deab790605c474abfe93cd1cc819c2cf387f7b89c61deb1d350badd9bab72f9c350badd9bab72f9c cc: current@freebsd.org Subject: Re: xscreensaver bug? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2003 09:32:43 -0000 "Eugene M. Kim" wrote: > Terry Lambert wrote: > >>I'm new in FreeBSD. I found that after I lock screen with xscreensaver, > >>I can unlock it with the root's password as well as my normal user's > >>password. I don't think it is a good thing. Is it a bug? > > > >It is intentional, although you can eliminate it with a recompile > >of the xscreensaver code, with the right options set. > > Wouldn't this lead to another security hazard, if a user compile his own > hacked xscreensaver which captures and stashes the password into a file > then runs it and leaves the terminal intentionally, `baiting' root? :o Not really. This type of thing would need to accept pretty much everything as a termination password, since there no password it can legitimately validate, since a user compiled trojan like this would not have access to the password database contents in order to perform validation. If the trojan is SUID, then they already have root, and don't need the trojan. Either way, there's no risk to just typing whatever crap you want to at it, including a message calling the user an idiot, the first time, to see if it's going to let you in without you giving it the real root password. > Although I can see the merit of this `feature', I think sysadmins should > stay away from using it in general. `su -m thatuser -c "killall > xscreensaver"' seems to be far safer. See other post. You can permanently lose focus this way, effectively locking up the machine. If you want to be that draconian, you might as well just reset the session, rather than screwing around with the vagaries of XGrabCursor, etc.. -- Terry