Bugtraq mailing list archives

Re: Annoying Solaris/CDE/NIS+ bug

From: fcusack () ICONNET NET (Frank Cusack)
Date: Tue, 13 Oct 1998 21:03:16 -0400


dbell <dbell () BWAY NET> writes:

I didn't see this, or anything similar to it in the archives, but please
forgive me if it's well known:

If a Solaris 2.6 host is a NIS+ client, and any user other than root is
running CDE at the console, CDE's screen locking feature does not work.
Any random string is sufficient to unlock to console. Obviously, this is


The bug has nothing to do with NIS+. The CDE screenlocker (dtsession)
accepts either the user's password or the root password to unlock
the screen.

When root doesn't have a password, it accepts anything. A bug? hardly.
Install a root password.

[...]

--
Frank Cusack       + Today's Haiku   No keyboard present
Icon CMT Corp.     + error message:  Hit F1 to continue
PGP: C001AA75      +                 Zen engineering?

Current thread:

Re: /tmp race in mc-4.5.0, (continued)
- - - Re: /tmp race in mc-4.5.0 Bennett Todd (Oct 14)
    - Re: /tmp race in mc-4.5.0 Marc Heuse (Oct 14)
    - [NTSEC] DoS attack in MS - Proxy 2.0 Jason Garms (Oct 15)
    - IRIX xterm(1) exploitable buffer overflow SGI Security Coordinator (Oct 15)
    - IRIX Xaw library exploitable buffer overflow SGI Security Coordinator (Oct 15)
    - Microsoft Security Bulletin (MS98-015) Aleph One (Oct 16)
    - HP-UX 10.20 SharedX Receiver Service DoS Security Research Team (Oct 16)
    - Breaking Finger in AIX 4.2 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (Oct 20)
    - Re: Breaking Finger in AIX 4.2 Troy A. Bollinger (Oct 20)
    - Alert: IE 4.0 Security Zone compromise Aleph One (Oct 20)
  - Re: Annoying Solaris/CDE/NIS+ bug Frank Cusack (Oct 13)