Vulnerability Development mailing list archives

Re: FW: Possible flaw in XFree?

From: strange () nsk yi org
Date: Sat, 29 Jun 2002 18:10:58 +0100


My reply I sent personally:

On Sat, Jun 29, 2002 at 09:16:26AM -0400, Andy Wood wrote:

      First, I do not believe there is s problem with switching
consoles as each sonsole is the users responsibility, but if they secure
their consoles and xwin and you can end around it with a default config
there is a problem.


The problem here is that he thought that by securing the X console he was
securing the text console also.

Microsoft got tore up about being able to
ctrl-alt-del and end tasking the screen saver to avoid the password
issue.


You can't avoid the screen saver password by ctrl+alt+bs. You'll kill the
session, not just the screen saver. The ctrl+alt+bs is comparable to the
new Windows XP, when you can lock your session but other users can still
create their own sessions.

It is a serious security hole, and, because of that should not
be the default configuration, even if it is fixable.


It's not a security hole, you can't gain any privileges by ctrl+alt+bs a
user's X session. It is an annoyance, but I'll rather have that than have
X block my screen and be unable to kill it.

I wouldn't mind packagers to ship it without that option as default (I
would just activate it on my own), but I don't think that's a security
issue.

Someone only has
to miss it on one system once and a security breach can occur.  Using a
graphical (give me a break) manager is surely not an acceptable
solution.


What's wrong with using a graphical manager? I'll rather enter just my
name & password than then execute 'exec startx' or 'startx & exit'.

      I hate MS and it makes me happy to hear them get slapped around
when a ridiculous default config causes a major security hole. So, the
same standard needs to be applied here...especially when you know who is
watching and looking for anything to discredit a real OS to better
leverage their sub-standard trash code.


Again, I don't think this is a security hole, much less a "major security
hole". I can't gain anything by ctrl+alt+bs some user's X session, I'll
just annoy him. And sometimes I just need to "zap" his sesion.

Regards,
Luciano Rocha

Current thread:

Re: Possible flaw in XFree?, (continued)
- - - Re: Possible flaw in XFree? Timothy J . Miller (Jun 29)
    - Re: Possible flaw in XFree? strange (Jun 28)
    - Re: Possible flaw in XFree? Ross Nelson (Jun 29)
    - Re: Possible flaw in XFree? Michael Jennings (Jun 29)
    - Simple Wais 1.11 allows users to execute commands as SWAIS deamon. John Thornton (Jun 29)
    - Re: Possible flaw in XFree? Edsel Adap (Jun 29)
- Re: Possible flaw in XFree? Blue Boar (Jun 29)
- Re: Possible flaw in XFree? Patrick van Zweden (Jun 28)
  - Re: Possible flaw in XFree? mdonnelly (Jun 28)
- FW: Possible flaw in XFree? Andy Wood (Jun 29)
  - Re: FW: Possible flaw in XFree? strange (Jun 29)
    - Re: FW: Possible flaw in XFree? Nick Lange (Jun 29)
    - Re: FW: Possible flaw in XFree? Michael Jennings (Jun 29)
    - Re: FW: Possible flaw in XFree? strange (Jun 29)