Vulnerability Development mailing list archives
Re: FW: Possible flaw in XFree?
From: strange () nsk yi org
Date: Sat, 29 Jun 2002 18:10:58 +0100
My reply I sent personally: On Sat, Jun 29, 2002 at 09:16:26AM -0400, Andy Wood wrote:
First, I do not believe there is s problem with switching consoles as each sonsole is the users responsibility, but if they secure their consoles and xwin and you can end around it with a default config there is a problem.
The problem here is that he thought that by securing the X console he was securing the text console also.
Microsoft got tore up about being able to ctrl-alt-del and end tasking the screen saver to avoid the password issue.
You can't avoid the screen saver password by ctrl+alt+bs. You'll kill the session, not just the screen saver. The ctrl+alt+bs is comparable to the new Windows XP, when you can lock your session but other users can still create their own sessions.
It is a serious security hole, and, because of that should not be the default configuration, even if it is fixable.
It's not a security hole, you can't gain any privileges by ctrl+alt+bs a user's X session. It is an annoyance, but I'll rather have that than have X block my screen and be unable to kill it. I wouldn't mind packagers to ship it without that option as default (I would just activate it on my own), but I don't think that's a security issue.
Someone only has to miss it on one system once and a security breach can occur. Using a graphical (give me a break) manager is surely not an acceptable solution.
What's wrong with using a graphical manager? I'll rather enter just my name & password than then execute 'exec startx' or 'startx & exit'.
I hate MS and it makes me happy to hear them get slapped around when a ridiculous default config causes a major security hole. So, the same standard needs to be applied here...especially when you know who is watching and looking for anything to discredit a real OS to better leverage their sub-standard trash code.
Again, I don't think this is a security hole, much less a "major security hole". I can't gain anything by ctrl+alt+bs some user's X session, I'll just annoy him. And sometimes I just need to "zap" his sesion. Regards, Luciano Rocha
Current thread:
- Re: Possible flaw in XFree?, (continued)
- Re: Possible flaw in XFree? Timothy J . Miller (Jun 29)
- Re: Possible flaw in XFree? strange (Jun 28)
- Re: Possible flaw in XFree? Ross Nelson (Jun 29)
- Re: Possible flaw in XFree? Michael Jennings (Jun 29)
- Simple Wais 1.11 allows users to execute commands as SWAIS deamon. John Thornton (Jun 29)
- Re: Possible flaw in XFree? Edsel Adap (Jun 29)
- Re: Possible flaw in XFree? mdonnelly (Jun 28)
- Re: FW: Possible flaw in XFree? strange (Jun 29)
- Re: FW: Possible flaw in XFree? Nick Lange (Jun 29)
- Re: FW: Possible flaw in XFree? Michael Jennings (Jun 29)
- Re: FW: Possible flaw in XFree? strange (Jun 29)