Bug#564079: Is this really a screensaver issue?
On 2010-01-26 17:31, Josselin Mouette wrote: > Le mardi 26 janvier 2010 à 16:19 +0100, Guido Günther a écrit : > > > True, but this one is trivial to exploit and is also fairly easy to > > > prevent so > > > why stick with it? > > I can only agree here. procps should at least get a: > > > > sys.kernel.sysrq = 0 > > It’s only a workaround, and it’s a bit too much to disable all SysRq > since other SysRq combinations are not a security threat. However we > could ship this in the gnome-screensaver/xscreensaver packages if there > is no other solution. This would make the obvious and immediate security > issue go away. Simultaneously, we can forward the issue upstream so that > they can work on an appropriate X11 extension as suggested by Bastian. Another solution could be to let the screensaver set /proc/self/oom_adj to -17 to disable the possibility of this process beeing killed by the oom-killer. (linux/Documentation/filesystems/proc.txt) > > > Safest would be to make the kernel default to off though (the user can > > still reenable this via procps) since there's otherwise still a race > > until /etc/init.d/procps starts. > > I don’t think this race condition is relevant. The only thing that can > protect you from someone who has access to the console at boot time is > to encrypt your data. The screensaver’s lock is here to prevent the data > from being accessed without a reboot. > > Cheers, > -- > .''`. Josselin Mouette > : :' : > `. `' “A handshake with whitnesses is the same > `- as a signed contact.” -- Jörg Schilling > Lars Olav Dybsjord lar...@ping.uio.no -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#562884: xscreensaver can be killed with Alt+SysRq+F
On 2009-12-29 05:07, Nico Golde wrote: > Hi, > * Lars Olav Dybsjord [2009-12-28 21:23]: > > I'm a bit new to this bugreporting stuff. I have however discovered that it > > is possible to kill xscreensaver with Alt+SysRq+F (if this function is not > > disabled). This may comprimise security when xscreensaver-command is used > > with the -lock option, because the screen will be unlocked. > > > > gnome-screensaver seems not to be vulnerable to this attack. It seems i was wrong about this. gnome-screensaver is also vulnerable to this attack. > > This is not really an xscreensaver bug though I realize how much this sucks > in > practice. The problem is the kernel oomkiller is killing the process with the > highest "rank" which is very likely to be xscreensaver if the screen is > locked. Unless I miss something (please note that I am not too much into X11) > there is no way to prevent it unless switching of the sysrq feature or > reforking died child processes. > > I am a bit unsure how to handle this, of course from a user perspective this > needs to be solved. Cced the rest of the team to get some more input. > > Cheers > Nico > -- > Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 > For security reasons, all text in this mail is double-rot13 encrypted. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#562884: xscreensaver can be killed with Alt+SysRq+F
Package: xscreensaver Version: 4.24-5 Severity: grave Tags: security Justification: user security hole Hi, I'm a bit new to this bugreporting stuff. I have however discovered that it is possible to kill xscreensaver with Alt+SysRq+F (if this function is not disabled). This may comprimise security when xscreensaver-command is used with the -lock option, because the screen will be unlocked. gnome-screensaver seems not to be vulnerable to this attack. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org