From owner-freebsd-current@FreeBSD.ORG Fri Nov 14 14:08:31 2003 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB71E16A4CE for ; Fri, 14 Nov 2003 14:08:31 -0800 (PST) Received: from alicia.nttmcl.com (alicia.nttmcl.com [216.69.69.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BA4743F75 for ; Fri, 14 Nov 2003 14:08:31 -0800 (PST) (envelope-from ab@astralblue.net) Received: from astralblue.net (daal.nttmcl.com [216.69.69.11]) by alicia.nttmcl.com (8.12.9/8.12.5) with ESMTP id hAEM8UHB084416; Fri, 14 Nov 2003 14:08:30 -0800 (PST) (envelope-from ab@astralblue.net) Message-ID: <3FB5524E.30107@astralblue.net> Date: Fri, 14 Nov 2003 14:08:14 -0800 From: "Eugene M. Kim" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20030925 X-Accept-Language: en-us, en, ko-kr, ko MIME-Version: 1.0 To: Terry Lambert References: <20031112091032.GA4425@cactus> <3FB3758A.9B52625D@mindspring.com> <3FB3B4FB.1050304@astralblue.net> <3FB4A095.AF27549F@mindspring.com> In-Reply-To: <3FB4A095.AF27549F@mindspring.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: current@freebsd.org Subject: Re: xscreensaver bug? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Nov 2003 22:08:32 -0000 Terry Lambert wrote: >"Eugene M. Kim" wrote: > >>Terry Lambert wrote: >> >>>>I'm new in FreeBSD. I found that after I lock screen with xscreensaver, >>>>I can unlock it with the root's password as well as my normal user's >>>>password. I don't think it is a good thing. Is it a bug? >>>> >>>It is intentional, although you can eliminate it with a recompile >>>of the xscreensaver code, with the right options set. >>> >>Wouldn't this lead to another security hazard, if a user compile his own >>hacked xscreensaver which captures and stashes the password into a file >>then runs it and leaves the terminal intentionally, `baiting' root? :o >> > >Not really. This type of thing would need to accept pretty much >everything as a termination password, since there no password it >can legitimately validate, since a user compiled trojan like this >would not have access to the password database contents in order >to perform validation. > >If the trojan is SUID, then they already have root, and don't need >the trojan. > >Either way, there's no risk to just typing whatever crap you want >to at it, including a message calling the user an idiot, the first >time, to see if it's going to let you in without you giving it the >real root password. > Validating a root password is possible with other means in many cases, if not always. OpenSSH sshd is a good example. Even with PermitRootLogin set to no, the attacker can differentiate whether the password has been accepted or not. If attacker is able enough, he could also run a hacked version of Xnest on port 6000+N and the real xscreensaver on :N.0 for a suitable N. Attacker would feed the real xscreensaver with the captured password and see if the real xscreensaver releases the server grab. Eugene