Re: Suggestion for a screensaver feature (Re: [Cooker] Please switch of kdm AutoReLogin: painful and dangerous)
On Wednesday 20 February 2002 08:14, Jamie Zawinski wrote: > AutoReLogin should not exist, and I'm not going to modify xscreensaver > to give the *illusion* that AutoReLogin is anything other than a gaping > security hole. Ayup, that sounds like the JWZ that we all know and love. (-: Cheers; Leon
Re: Suggestion for a screensaver feature (Re: [Cooker] Please switch of kdm AutoReLogin: painful and dangerous)
Stephane Gourichon wrote: > > I don't like the AutoReLogin feature. The X server (and process holding > the session) should be stable. If it's not it has to be corrected. > Relaunching a session automatically to pretend it's not nearly crashed > is playing masquerade. You are correct. The words "AutoReLogin" and "security" can't be used together. > But since it exists, there must be some way to make it better. No, I seriously doubt that. > I have a suggestion (maybe it's what you thought, but here it is > explicit): any screensaver may want to create a particular file (for > example ~/.screen-locked -- common to all screen saver programs) to > indicate that the screen is currently locked. AutoReLogin should not exist, and I'm not going to modify xscreensaver to give the *illusion* that AutoReLogin is anything other than a gaping security hole. -- Jamie Zawinski [EMAIL PROTECTED] http://www.jwz.org/ [EMAIL PROTECTED] http://www.dnalounge.com/
Re: [Cooker] Please switch of kdm AutoReLogin: painful and dangerous
On Wed, 13 Feb 2002, David BAUDENS wrote: > > IMO, this should be turned off by default! (AutoReLogin=false in > > kdmrc) > > /.../ > > It have never been actived by default. This is strange. I'm think I've never activated it (I discovered the option yesterday) and it was activated anyway. Thank you. -- Stéphane Gourichon
Re: [Cooker] Please switch of kdm AutoReLogin: painful and dangerous
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Maybe AutoRelogin should also turn off Ctrl-Alt-Backspace. Or you can do it yourself. In /etc/X11/XF86Config-4: Section "ServerFlags" DontZap EndSection Danny On Wednesday 13 February 2002 19:46, you wrote: > --- Stephane Gourichon <[EMAIL PROTECTED]> > > wrote: > > Hello, > > > > Mandrake 8.1 introduced a new feature, through the > > new kdm: AutoReLogin. > > It is supposed to build back the user session if X > > crashes (or > > Ctrl-Alt-Backspace is pressed, which is a handy way > > not to wait for > > eons for KDE to start when one actually wants > > everything else but KDE, > > but sometimes the default goes back to starting KDE > > anyway). > > > > > > Be aware that this opens a security hole ! > > > > Whenever a screen is xlocked (xscreensaver, etc...), > > anyone just has to > > press Ctrl-Alt-Backspace to get re-logged in as the > > previous user, but > > without the screen locked. (See > > http://www.google.com/search?q=autorelogin%20security) > > > IMO, this should be turned off by default! > > (AutoReLogin=false in kdmrc) > > or maybe made a bit smarter, such as if password > authentication is checked in Xscreensaver then when it > autorelogins the Xsceensaver is automatically > activated. Or maybe send it to the screensaver > automatically regardless. > > > Perhaps, after disabling it by default, Mandrake may > > consider turning > > the default back to "on" in low security levels > > and/or if autologin is > > set to true. > > > > (I don't know, if it is fixed in 8.2, and I can't > > test now.) > > > > Thanks. > > > > -- > > Stéphane Gourichon - Labo. d'Informatique de Paris 6 > > - AnimatLab > > http://animatlab.lip6.fr - philo du dimanche > > http://amphi-gouri.org/ > > > > "Bonjour, je suis qu'une phrase entre guillemets > > dans une signature, > > mais si vous me recopiez dans votre signature > > automatique d'e-mail, > > alors je pourrai continuer à me reproduire comme un > > virus. Merci !" > > = > SI Reasoning > [EMAIL PROTECTED] > > "To announce that there must be no criticism of the president or that we > are to stand by the president, right or wrong, is not only unpatriotic and > servile, but is morally treasonable to the American public." Theodore > Roosevelt > > __ > Do You Yahoo!? > Send FREE Valentine eCards with Yahoo! Greetings! > http://greetings.yahoo.com - -- "`Credit?' he said. `Aaaargggh...' These two words are usually coupled together in the Old Pink Dog Bar." - - Ford in a spot of bother. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8ar38aeiN+EU2vEIRAl1XAKChUmHQ/g6Bmf6ydN5Z7y9RLCcfDACfSvbi PgQMJo3XWq3rBiOCVAwzGDs= =diM0 -END PGP SIGNATURE-
Re: [Cooker] Please switch of kdm AutoReLogin: painful and dangerous
--- Stephane Gourichon <[EMAIL PROTECTED]> wrote: > Hello, > > Mandrake 8.1 introduced a new feature, through the > new kdm: AutoReLogin. > It is supposed to build back the user session if X > crashes (or > Ctrl-Alt-Backspace is pressed, which is a handy way > not to wait for > eons for KDE to start when one actually wants > everything else but KDE, > but sometimes the default goes back to starting KDE > anyway). > > > Be aware that this opens a security hole ! > > Whenever a screen is xlocked (xscreensaver, etc...), > anyone just has to > press Ctrl-Alt-Backspace to get re-logged in as the > previous user, but > without the screen locked. (See > http://www.google.com/search?q=autorelogin%20security) > > IMO, this should be turned off by default! > (AutoReLogin=false in kdmrc) > or maybe made a bit smarter, such as if password authentication is checked in Xscreensaver then when it autorelogins the Xsceensaver is automatically activated. Or maybe send it to the screensaver automatically regardless. > > Perhaps, after disabling it by default, Mandrake may > consider turning > the default back to "on" in low security levels > and/or if autologin is > set to true. > > (I don't know, if it is fixed in 8.2, and I can't > test now.) > > Thanks. > > -- > Stéphane Gourichon - Labo. d'Informatique de Paris 6 > - AnimatLab > http://animatlab.lip6.fr - philo du dimanche > http://amphi-gouri.org/ > > "Bonjour, je suis qu'une phrase entre guillemets > dans une signature, > mais si vous me recopiez dans votre signature > automatique d'e-mail, > alors je pourrai continuer à me reproduire comme un > virus. Merci !" > > = SI Reasoning [EMAIL PROTECTED] "To announce that there must be no criticism of the president or that we are to stand by the president, right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public." Theodore Roosevelt __ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com
Re: [Cooker] Please switch of kdm AutoReLogin: painful and dangerous
On Wednesday 13 February 2002 16:57, you wrote: > Hello, > > Mandrake 8.1 introduced a new feature, through the new kdm: > AutoReLogin. It is supposed to build back the user session if X > crashes (or Ctrl-Alt-Backspace is pressed, which is a handy way not > to wait for eons for KDE to start when one actually wants everything > else but KDE, but sometimes the default goes back to starting KDE > anyway). > > > Be aware that this opens a security hole ! > > Whenever a screen is xlocked (xscreensaver, etc...), anyone just has > to press Ctrl-Alt-Backspace to get re-logged in as the previous user, > but without the screen locked. (See > http://www.google.com/search?q=autorelogin%20security) > > IMO, this should be turned off by default! (AutoReLogin=false in > kdmrc) /.../ It have never been actived by default. -- David BAUDENS MandrakeSoft - http://www.mandrakesoft.com
