Date: Wed, 18 Nov 1998 10:25:15 +0100 From: Andre Albsmeier <andre.albsmeier@mchp.siemens.de> To: Peter Jeremy <peter.jeremy@auss2.alcatel.com.au>, security@FreeBSD.ORG Subject: Re: Would this make FreeBSD more secure? Message-ID: <19981118102515.A1623@internal> In-Reply-To: <98Nov18.075152est.40335@border.alcanet.com.au>; from Peter Jeremy on Wed, Nov 18, 1998 at 07:52:13AM %2B1100 References: <98Nov18.075152est.40335@border.alcanet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 18-Nov-1998 at 07:52:13 +1100, Peter Jeremy wrote: > Andre Albsmeier <andre.albsmeier@mchp.siemens.de> wrote: > >I just was alarmed by xlockmore that a program runs setuid root all the time > >only to check the password the user enters. > In the case of xlockmore (and similar programs), the logical approach > would seem to be to split the functionality into two processes: the > parent process remains privileged(*), but all it would do is seize the > keyboard/mouse, blank the screen and spawn children to actually display > the pretty patterns. The children don't need to be priviledged, and if > one crashes, the parent can just start another. > > An alternative approach would be to have the entire saver run non- > privileged and call a privileged program to check the password. > Securely writing the password checking program (so it couldn't be > used for password cracking) is non-trivial. Isn't that a bit overkill if we have a simpler solution? > > > And, regardless whether xlockmore > >has known bugs or not, > xlockmore-4.10 definitely does have bugs - several of the standard saver > modes will die with SIGFPE (suddenly unlocking your screen). Never (and I mean never :-)) saw that on my 14 machines. But I have to say that I left out some of the modules (the ones that suck cpu time). > > (*) Currently, this means setuid root, but all it needs is sufficient > privileges to validate a password. > > Peter -Andre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981118102515.A1623>