On Thu, 27 Jun 2002, William N. Zanatta wrote: > Hi folks, > > Talking about some bad experiences with my friend, I discovered (he > told me) it is possible to abort a X session even when the screen is > locked by some kind of application like 'xlock'. > > I have made the following test: > > 1. Logged into the system as 'william' (a normal non-privileged user). > 2. startx > 3. Run xlock > ... the screen is now locked... > 4. Tried a hit on some keys. The password screen appears. > 5. Then, 'ctrl-alt-backspace' and voila... X is down and my console > is there, opened for me. > > I see this as a serious problem once one could let his/her X session > opened and locked and anyone who have access to that machine could abort > the X session and start playing around with the logged user's shell > (which could be the root shell). > > What about that? > > Tested on: > ------------------------------------- > XFree86 Version 4.1.0 / X Window System > (protocol Version 11, revision 0, vendor release 6510) > Release Date: 2 June 2001 > If the server is older than 6-12 months, or if your card is > newer than the above date, look for a newer version before > reporting problems. (See http://www.XFree86.Org/FAQ) > Build Operating System: Linux 2.2.19 i686 [ELF] > ------------------------------------- > > Regards, > > William Zanatta > > -- > Perl combines all of the worst aspects of BASIC, C and line noise. > -- Keith Packard > > This 'flaw' can be easily disabled though via XF86Config file. From the XF86Config man page: <snip> Option "DontZap" "boolean" This disallows the use of the Ctrl+Alt+Backspace sequence. That sequence is normally used to terminate the X server. When this option is enabled, that key sequence has no special meaning and is passed to clients. Default: off. </snip> -- uidzer0
This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 12:11:10 PDT