FW: Possible flaw in XFree?

From: Andy Wood (network.design@cox.net)
Date: 06/29/02 

From: "Andy Wood" <network.design@cox.net>
To: <vuln-dev@securityfocus.com>
Date: Sat, 29 Jun 2002 09:19:10 -0400

        First, I do not believe there is s problem with switching
consoles as each sonsole is the users responsibility, but if they secure
their consoles and xwin and you can end around it with a default config
there is a problem. Microsoft got tore up about being able to
ctrl-alt-del and end tasking the screen saver to avoid the password
issue. It is a serious security hole, and, because of that should not
be the default configuration, even if it is fixable. Someone only has
to miss it on one system once and a security breach can occur. Using a
graphical (give me a break) manager is surely not an acceptable
solution.

        I hate MS and it makes me happy to hear them get slapped around
when a ridiculous default config causes a major security hole. So, the
same standard needs to be applied here...especially when you know who is
watching and looking for anything to discredit a real OS to better
leverage their sub-standard trash code.

Andy

-----Original Message-----
From: strange@nsk.yi.org [mailto:strange@nsk.yi.org]
Sent: Friday, June 28, 2002 7:32 PM
To: William N. Zanatta
Cc: vuln-dev@securityfocus.com
Subject: Re: Possible flaw in XFree?

On Fri, Jun 28, 2002 at 02:34:01PM -0300, William N. Zanatta wrote:
> Firstly, thank you for the answers. But...
>
> You have explained how to start X without letting my console opened

> and that Ctrl-Alt-Backspace is a feature. I already know that. The
> problem I see is: once the X session is locked, it is suposed to LOCK
> the system and don't let anyone just press Ctrl-Alt-Backspace and take

> it down. Also it shouldn't let people switch to console by
> Ctrl-Alt-Fx. If it can't have such behavior, using xlock and stuffs
> like that isn't justified.
>
> Got it?? I'm not discussing on whether to run X by xdm, or by
> console, or even disabling 'DontZap'. I'm talking about one doing
> things when it shouldn't.

Unix/Linux is a multiuser system. If a user had the ability to lock the
system against anyone else, I would call that a bug.

As it is, a user has the ability to lock its sessions. That's the
purpose of xlock and likes.

And if the same user or another user has the ability to switch to a new
console and start its own X server or shell, I call that a multiuser
system.

So, as I see it, one is doing things as it should...

Regards,
Luciano Rocha

Relevant Pages

  • Re: suggestions for window manager
    ... preferably with a little helper to set up or a very simple config file. ... E.g. if Konquorer's download manager is busy, ... Window resizing, minimizing, maximizing, shading. ... Console and Cray has Console ...
    (Debian-User)
  • Re: [RFC PATCH] Add TRACE_IRQFLAGS_SUPPORT, LOCKDEP_SUPPORT then enable ftrace for ia64
    ... Your config fails for me too (same way, blank screen, nothing on ... Essentially I applied your patch to 2.6.32 (patch only gave a few ... When I turned on some LOCKDEP bits (see attached config) it fails. ... early uart console to say why. ...
    (Linux-Kernel)
  • Re: vga text console not working on 2.6.23-rc8
    ... I have just compiled a 2.6.23-rc8 using the config from my 2.6.22 as a basis ... and I came out with a not working vga text console. ... More majordomo info at http://vger.kernel.org/majordomo-info.html ...
    (Linux-Kernel)
  • Re: Possible flaw in XFree?
    ... once the X session is locked, ... > the system and don't let anyone just press Ctrl-Alt-Backspace and take ... Also it shouldn't let people switch to console by Ctrl-Alt-Fx. ... a user has the ability to lock its sessions. ...
    (Vuln-Dev)
  • Re: commit a29ccf6f823a84d89e1c7aaaf221cf7282022024 break console on slackware 12.1
    ... Can you please send me your .config? ... if I set my locale to a UTF8 locale but do not change the console font. ... time via PuTTY terminals, and they're fine. ...
    (Linux-Kernel)