Vulnerability Development mailing list archives

FW: Possible flaw in XFree?

From: "Andy Wood" <network.design () cox net>
Date: Sat, 29 Jun 2002 09:19:10 -0400

        First, I do not believe there is s problem with switching
consoles as each sonsole is the users responsibility, but if they secure
their consoles and xwin and you can end around it with a default config
there is a problem.  Microsoft got tore up about being able to
ctrl-alt-del and end tasking the screen saver to avoid the password
issue.  It is a serious security hole, and, because of that should not
be the default configuration, even if it is fixable.  Someone only has
to miss it on one system once and a security breach can occur.  Using a
graphical (give me a break) manager is surely not an acceptable
solution.

        I hate MS and it makes me happy to hear them get slapped around
when a ridiculous default config causes a major security hole. So, the
same standard needs to be applied here...especially when you know who is
watching and looking for anything to discredit a real OS to better
leverage their sub-standard trash code.

Andy


-----Original Message-----
From: strange () nsk yi org [mailto:strange () nsk yi org] 
Sent: Friday, June 28, 2002 7:32 PM
To: William N. Zanatta
Cc: vuln-dev () securityfocus com
Subject: Re: Possible flaw in XFree?


On Fri, Jun 28, 2002 at 02:34:01PM -0300, William N. Zanatta wrote:

   Firstly, thank you for the answers. But...

   You have explained how to start X without letting my console opened

and that Ctrl-Alt-Backspace is a feature. I already know that. The 
problem I see is: once the X session is locked, it is suposed to LOCK 
the system and don't let anyone just press Ctrl-Alt-Backspace and take

it down. Also it shouldn't let people switch to console by 
Ctrl-Alt-Fx. If it can't have such behavior, using xlock and stuffs 
like that isn't justified.

   Got it?? I'm not discussing on whether to run X by xdm, or by 
console, or even disabling 'DontZap'. I'm talking about one doing 
things when it shouldn't.


Unix/Linux is a multiuser system. If a user had the ability to lock the
system against anyone else, I would call that a bug.

As it is, a user has the ability to lock its sessions. That's the
purpose of xlock and likes.

And if the same user or another user has the ability to switch to a new
console and start its own X server or shell, I call that a multiuser
system.

So, as I see it, one is doing things as it should...

Regards,
Luciano Rocha

Current thread:

Re: Possible flaw in XFree?, (continued)
- - - Re: Possible flaw in XFree? Nick Lange (Jun 28)
    - Re: Possible flaw in XFree? Timothy J . Miller (Jun 29)
    - Re: Possible flaw in XFree? strange (Jun 28)
    - Re: Possible flaw in XFree? Ross Nelson (Jun 29)
    - Re: Possible flaw in XFree? Michael Jennings (Jun 29)
    - Simple Wais 1.11 allows users to execute commands as SWAIS deamon. John Thornton (Jun 29)
    - Re: Possible flaw in XFree? Edsel Adap (Jun 29)
- Re: Possible flaw in XFree? Blue Boar (Jun 29)
- Re: Possible flaw in XFree? Patrick van Zweden (Jun 28)
  - Re: Possible flaw in XFree? mdonnelly (Jun 28)
- FW: Possible flaw in XFree? Andy Wood (Jun 29)
  - Re: FW: Possible flaw in XFree? strange (Jun 29)
    - Re: FW: Possible flaw in XFree? Nick Lange (Jun 29)
    - Re: FW: Possible flaw in XFree? Michael Jennings (Jun 29)
    - Re: FW: Possible flaw in XFree? strange (Jun 29)