Re: FW: Possible flaw in XFree?

From: Michael Jennings (mej@kainx.org)
Date: 06/30/02


Date: Sat, 29 Jun 2002 18:21:38 -0400
From: Michael Jennings <mej@kainx.org>
To: vuln-dev@securityfocus.com

On Saturday, 29 June 2002, at 16:38:03 (-0700),
Nick Lange wrote:

> Which once again leads us back to a point that perhaps more people
> would agree with, the option should *not* be enabled by default
> precisely for the annoyance/information loss factor. First off, any
> user can kill off any other user's session (provided they have
> access to the hardware running the session) which can lead to
> potential data loss for any running applications. This could be
> done out of malice, etc.

If we're talking about Ctrl-Alt-Backspace killing an X session on
XFree86 started by startx or the like, then we're talking about an X
session running on the main console of a system. Given that fact,
said malicious user could just as easily power off the system. Or
unplug it. Or any number of other actions allowed by physical access
to a workstation/server.

This all gets back to the "security of a system to which an attacker
has physical access" thread that has been hashed out many times
before. I suggest dropping this silliness and consulting a mailing
list archive near you.

If a user starts X using startx and fails to employ the "exec"
technique mentioned earlier, this user should not walk away from
his/her terminal. If this user does so, this user is an idiot. The
Zap key sequence is a good feature, and the rest of us should not be
made to suffer on account of the idiocy of the few.

Michael

-- 
Michael Jennings (a.k.a. KainX)  http://www.kainx.org/  <mej@kainx.org>
n+1, Inc., http://www.nplus1.net/         Author, Eterm (www.eterm.org)
-----------------------------------------------------------------------
 "I have gotten into the habit of recording important meetings.  One
  never knows when an inconvenient truth will fall between the cracks
  and vanish."               -- Ambassador Londo Mollari, Babylon Five