Terry Lambert wrote: >"Eugene M. Kim" wrote: > >>Terry Lambert wrote: >> >>>>I'm new in FreeBSD. I found that after I lock screen with xscreensaver, >>>>I can unlock it with the root's password as well as my normal user's >>>>password. I don't think it is a good thing. Is it a bug? >>>> >>>It is intentional, although you can eliminate it with a recompile >>>of the xscreensaver code, with the right options set. >>> >>Wouldn't this lead to another security hazard, if a user compile his own >>hacked xscreensaver which captures and stashes the password into a file >>then runs it and leaves the terminal intentionally, `baiting' root? :o >> > >Not really. This type of thing would need to accept pretty much >everything as a termination password, since there no password it >can legitimately validate, since a user compiled trojan like this >would not have access to the password database contents in order >to perform validation. > >If the trojan is SUID, then they already have root, and don't need >the trojan. > >Either way, there's no risk to just typing whatever crap you want >to at it, including a message calling the user an idiot, the first >time, to see if it's going to let you in without you giving it the >real root password. > Validating a root password is possible with other means in many cases, if not always. OpenSSH sshd is a good example. Even with PermitRootLogin set to no, the attacker can differentiate whether the password has been accepted or not. If attacker is able enough, he could also run a hacked version of Xnest on port 6000+N and the real xscreensaver on :N.0 for a suitable N. Attacker would feed the real xscreensaver with the captured password and see if the real xscreensaver releases the server grab. EugeneReceived on Fri Nov 14 2003 - 13:08:31 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:37:29 UTC