Date: Sat, 13 Jan 2007 16:39:53 -0500 From: Anish Mistry <amistry@am-productions.biz> To: infofarmer@freebsd.org Cc: FreeBSD Ports <ports@freebsd.org>, Doug Barton <dougb@freebsd.org>, UMENO Takashi <umeno@rr.iij4u.or.jp>, "Simon L. Nielsen" <simon@freebsd.org>, Tobias Roth <ports@fsck.ch> Subject: Re: xlockmore - serious security issue Message-ID: <200701131640.14471.amistry@am-productions.biz> In-Reply-To: <cb5206420701131119o39a9a894wc48743ede116fcd8@mail.gmail.com> References: <cb5206420606130418x706ccd61t5840bd2b0c00f61b@mail.gmail.com> <20060613234027.GC1074@zaphod.nitro.dk> <cb5206420701131119o39a9a894wc48743ede116fcd8@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart8754643.jVn2V0V8tj Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Saturday 13 January 2007 14:19, Andrew Pantyukhin wrote: > On 6/14/06, Simon L. Nielsen <simon@freebsd.org> wrote: > > On 2006.06.13 18:51:48 +0400, Andrew Pantyukhin wrote: > > > On 6/13/06, Anish Mistry <amistry@am-productions.biz> wrote: > > > >On Tuesday 13 June 2006 07:54, Andrew Pantyukhin wrote: > > > >> On 6/13/06, Anton Berezin <tobez@tobez.org> wrote: > > > >> > On Tue, Jun 13, 2006 at 03:18:16PM +0400, Andrew Pantyukhin=20 wrote: > > > >> > > The problem is that xlockmore exits all by itself when > > > >> > > left alone for a couple of days. It works all right > > > >> > > overnight, but when left for the weekend, it almost > > > >> > > certainly fails. I just come to work and see that my > > > >> > > workstation is unlocked, what a surprise. > > > > [...] > > > > > >I just stick with a blank screen and works fine for several > > > > weeks at a time. I found some of the GL screensavers to > > > > cause problems. > > > > > > Ask me - we should mark this port forbidden and/or make > > > and entry in vuxml until we resolve this issue. Let's make > > > blank screen the default behavior or something. To leave > > > this as is is unacceptable. > > > > FORBIDDEN and a VuXML entry seems in a way a bit overkill to me > > seems a bit overkill to me, since it's not really a > > vulnerability, but I'm open to input. > > > > As mentioned by others, xlockmore is fundamentally flawed > > wrt. guaranteeing that the screen stays locked in that the > > screensavers code can kill the lock, which it should not be able > > to happen. > > > > Has anyone contacted the xlockmore author for comment on this > > issue? > > > > One thing we could do right now is to add a message at install > > time warning that xlockmore might unlock the screen (a bit like > > the Pine warning). > > High time we settled on something. > > Now that we had this discussion, I only use the swarm > mode and never had any problems with it. But what > about those who still don't know about the issues? > I've been in situations where accidental unlocking > was unacceptable. In most cases unlocking implies > immediate root access to the local machine (which > is also possible, but more complicated, with plain > physical access), but more importantly - decrypted > auth info in RAM, such as ssh keys. This is a major > security breach. IMHO, we can't overestimate it. > > I'm quite sure an ignorable/overlookable message is > not enough. A user must fully understand all the > implications of this software being used. If it's > fundamentally flawed, let's forbid/remove it _until_ > the author has a statement for us, not after that. I think adding a VuXML entry should be added, the port should then be=20 updated to allow only the know good modes (blank and swarm so far are=20 fine). Then see if we get a response from the author, and/or try to=20 debug the problem ourselves. =2D-=20 Anish Mistry amistry@am-productions.biz AM Productions http://am-productions.biz/ --nextPart8754643.jVn2V0V8tj Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQBFqVG+xqA5ziudZT0RAofhAJwNC5LYK74rjzIlFiPI67HKC6v2AQCfQh+R zd68z4acleZ0QWzUJyyDkgY= =5KLu -----END PGP SIGNATURE----- --nextPart8754643.jVn2V0V8tj--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701131640.14471.amistry>