Possible flaw in XFree?

From: William N. Zanatta (williamat_private)
Date: Thu Jun 27 2002 - 12:06:55 PDT

  • Next message: Philip Rowlands: "Re: Possible flaw in XFree?"

    Hi folks,
    
       Talking about some bad experiences with my friend, I discovered (he 
    told me) it is possible to abort a X session even when the screen is 
    locked by some kind of application like 'xlock'.
    
       I have made the following test:
    
       1. Logged into the system as 'william' (a normal non-privileged user).
       2. startx
       3. Run xlock
       ... the screen is now locked...
       4. Tried a hit on some keys. The password screen appears.
       5. Then, 'ctrl-alt-backspace' and voila... X is down and my console 
    is there, opened for me.
    
       I see this as a serious problem once one could let his/her X session 
    opened and locked and anyone who have access to that machine could abort 
    the X session and start playing around with the logged user's shell 
    (which could be the root shell).
    
       What about that?
    
       Tested on:
    -------------------------------------
    XFree86 Version 4.1.0 / X Window System
    (protocol Version 11, revision 0, vendor release 6510)
    Release Date: 2 June 2001
             If the server is older than 6-12 months, or if your card is
             newer than the above date, look for a newer version before
             reporting problems.  (See http://www.XFree86.Org/FAQ)
    Build Operating System: Linux 2.2.19 i686 [ELF]
    -------------------------------------
    
       Regards,
    
       William Zanatta
    
    -- 
    Perl combines all of the worst aspects of BASIC, C and line noise.
                     -- Keith Packard
    



    This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 09:12:31 PDT