FW: Possible flaw in XFree?

From: Andy Wood (network.designat_private)
Date: Sat Jun 29 2002 - 06:19:10 PDT

  • Next message: Sebastian Jaenicke: "Re: possible stack flow in bash"

    	First, I do not believe there is s problem with switching
    consoles as each sonsole is the users responsibility, but if they secure
    their consoles and xwin and you can end around it with a default config
    there is a problem.  Microsoft got tore up about being able to
    ctrl-alt-del and end tasking the screen saver to avoid the password
    issue.  It is a serious security hole, and, because of that should not
    be the default configuration, even if it is fixable.  Someone only has
    to miss it on one system once and a security breach can occur.  Using a
    graphical (give me a break) manager is surely not an acceptable
    solution.
    
    	I hate MS and it makes me happy to hear them get slapped around
    when a ridiculous default config causes a major security hole. So, the
    same standard needs to be applied here...especially when you know who is
    watching and looking for anything to discredit a real OS to better
    leverage their sub-standard trash code.
    
    Andy
    
    
    -----Original Message-----
    From: strangeat_private [mailto:strangeat_private] 
    Sent: Friday, June 28, 2002 7:32 PM
    To: William N. Zanatta
    Cc: vuln-devat_private
    Subject: Re: Possible flaw in XFree?
    
    
    On Fri, Jun 28, 2002 at 02:34:01PM -0300, William N. Zanatta wrote:
    >    Firstly, thank you for the answers. But...
    > 
    >    You have explained how to start X without letting my console opened
    
    > and that Ctrl-Alt-Backspace is a feature. I already know that. The 
    > problem I see is: once the X session is locked, it is suposed to LOCK 
    > the system and don't let anyone just press Ctrl-Alt-Backspace and take
    
    > it down. Also it shouldn't let people switch to console by 
    > Ctrl-Alt-Fx. If it can't have such behavior, using xlock and stuffs 
    > like that isn't justified.
    > 
    >    Got it?? I'm not discussing on whether to run X by xdm, or by 
    > console, or even disabling 'DontZap'. I'm talking about one doing 
    > things when it shouldn't.
    
    Unix/Linux is a multiuser system. If a user had the ability to lock the
    system against anyone else, I would call that a bug.
    
    As it is, a user has the ability to lock its sessions. That's the
    purpose of xlock and likes.
    
    And if the same user or another user has the ability to switch to a new
    console and start its own X server or shell, I call that a multiuser
    system.
    
    So, as I see it, one is doing things as it should...
    
    Regards,
    Luciano Rocha
    



    This archive was generated by hypermail 2b30 : Sat Jun 29 2002 - 10:02:01 PDT