Security Notice: I would like to notify everybody about a security issue that is created in the Fl_TeacherTool installation procedure.
A security vulnerability exists if you enabled Monitor/Control by following the instructions here: http://www3.telus.net/public/robark/Fl_TeacherTool/installationk12ltsp.html#monitor (instructions pasted below) -----snip------ Edit the file /opt/ltsp/i386/etc/lts.conf and uncomment (i.e. remove the "#"): X4_MODULE_02 = vnc Become root: su - Make a password for the vnc-session: /usr/bin/vncpasswd Copy the password file into the ltsp-tree: cp -a /root/.vnc /opt/ltsp/i386/root/ Log out of root session: exit Reboot your clients! -----snip------- Or (if you are running x11vnc on the client) If you start x11vnc in /opt/ltsp/i386/etc/rc.local with a line like x11vnc -display :6 -rfbauth /root/.vnc/passwd -forever -shared -loop & Please be aware that anyone with some Linux knowledge could potentially take control of, or monitor, a client computer. If you do not feel comfortable with this situation, especially if the teacher workstation is a client machine, then follow the simple work around patch below. ******Work Around / Patch:****** Notice: this will disable monitor/control and snapshots in Fl_Teachertool. Edit the file /opt/ltsp/i386/etc/lts.conf and *COMMENT* the vnc module line (i.e. INSERT a "#" at the beginning of the line): # X4_MODULE_02 = vnc OR (depending how you enabled the vnc server on the client) Delete the x11vnc line in /opt/ltsp/i386/etc/rc.local reboot the client machines. For good measure, delete your old vnc password files: rm /opt/ltsp/i386/root/.vnc/passwd rm /root/.vnc/passwd -- Robert Arkiletian Eric Hamber Secondary, Vancouver, Canada Fl_TeacherTool http://www3.telus.net/public/robark/Fl_TeacherTool/ C++ GUI tutorial http://www3.telus.net/public/robark/ ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
