"Eugene M. Kim" wrote:
Terry Lambert wrote:
I'm new in FreeBSD. I found that after I lock screen with xscreensaver, I can unlock it with the root's password as well as my normal user's password. I don't think it is a good thing. Is it a bug?
It is intentional, although you can eliminate it with a recompile of the xscreensaver code, with the right options set.
Wouldn't this lead to another security hazard, if a user compile his own hacked xscreensaver which captures and stashes the password into a file then runs it and leaves the terminal intentionally, `baiting' root? :o
Not really. This type of thing would need to accept pretty much everything as a termination password, since there no password it can legitimately validate, since a user compiled trojan like this would not have access to the password database contents in order to perform validation.
If the trojan is SUID, then they already have root, and don't need the trojan.
Either way, there's no risk to just typing whatever crap you want to at it, including a message calling the user an idiot, the first time, to see if it's going to let you in without you giving it the real root password.
Validating a root password is possible with other means in many cases, if not always. OpenSSH sshd is a good example. Even with PermitRootLogin set to no, the attacker can differentiate whether the password has been accepted or not.
If attacker is able enough, he could also run a hacked version of Xnest on port 6000+N and the real xscreensaver on :N.0 for a suitable N. Attacker would feed the real xscreensaver with the captured password and see if the real xscreensaver releases the server grab.
Eugene
_______________________________________________ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[EMAIL PROTECTED]"
