Bug#562884: xscreensaver can be killed with Alt+SysRq+F
I think that generally disabling SysRq while xscreensaver is running is not a good idea. It will prevent the use of other commands that might be useful if the system is behaving troublesome. I think that a setuid helper specifically for this task is the proper solution, if it can be ensured that it can only be used for xscreensaver processes. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#562884: xscreensaver can be killed with Alt+SysRq+F
Hi, I wrote to Jamie about this and he frankly doesn't know how to fix this without doing it as root. I found that with a binary helper with SETUID may introduce a new security issue and honestly I don't have the time right now to write the code to patch this bug. I would like all the help that people could give me. I compromise to do the tests and patch this issue. Remember that xscreensaver is maintained under collab-maint with git so it's very easy to do any patching and tests on the code. Regards. -- Jose Luis Rivas. San Cristóbal, Venezuela. GPG 0xCACAB118 0x7C4DF50D http://joseluisrivas.net/acerca - http://ghostbar.ath.cx/about -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#562884: xscreensaver can be killed with Alt+SysRq+F
Hi, just for the record, it IS possible to prevent a process from being killed by the OOM-killer: | 3.1 /proc//oom_adj - Adjust the oom-killer score | -- | | This file can be used to adjust the score used to select which processes | should be killed in an out-of-memory situation. Giving it a high score will | increase the likelihood of this process being killed by the oom-killer. Valid | values are in the range -16 to +15, plus the special value -17, which disables | oom-killing altogether for this process. | [..] (linux/Documentation/filesystems/proc.txt) greetings, youam / Uli -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#562884: xscreensaver can be killed with Alt+SysRq+F
Hi, echo 447 > /proc/sys/kernel/sysrq works as a hotfix by disabling sysrq+f on affected machines. Note: Gnome screensaver is vulnerable as well. -- Håvard Espeland -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#562884: xscreensaver can be killed with Alt+SysRq+F
On 2009-12-29 05:07, Nico Golde wrote: > Hi, > * Lars Olav Dybsjord [2009-12-28 21:23]: > > I'm a bit new to this bugreporting stuff. I have however discovered that it > > is possible to kill xscreensaver with Alt+SysRq+F (if this function is not > > disabled). This may comprimise security when xscreensaver-command is used > > with the -lock option, because the screen will be unlocked. > > > > gnome-screensaver seems not to be vulnerable to this attack. It seems i was wrong about this. gnome-screensaver is also vulnerable to this attack. > > This is not really an xscreensaver bug though I realize how much this sucks > in > practice. The problem is the kernel oomkiller is killing the process with the > highest "rank" which is very likely to be xscreensaver if the screen is > locked. Unless I miss something (please note that I am not too much into X11) > there is no way to prevent it unless switching of the sysrq feature or > reforking died child processes. > > I am a bit unsure how to handle this, of course from a user perspective this > needs to be solved. Cced the rest of the team to get some more input. > > Cheers > Nico > -- > Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 > For security reasons, all text in this mail is double-rot13 encrypted. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#562884: xscreensaver can be killed with Alt+SysRq+F
Hi, * Lars Olav Dybsjord [2009-12-28 21:23]: > I'm a bit new to this bugreporting stuff. I have however discovered that it > is possible to kill xscreensaver with Alt+SysRq+F (if this function is not > disabled). This may comprimise security when xscreensaver-command is used > with the -lock option, because the screen will be unlocked. > > gnome-screensaver seems not to be vulnerable to this attack. This is not really an xscreensaver bug though I realize how much this sucks in practice. The problem is the kernel oomkiller is killing the process with the highest "rank" which is very likely to be xscreensaver if the screen is locked. Unless I miss something (please note that I am not too much into X11) there is no way to prevent it unless switching of the sysrq feature or reforking died child processes. I am a bit unsure how to handle this, of course from a user perspective this needs to be solved. Cced the rest of the team to get some more input. Cheers Nico -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0 For security reasons, all text in this mail is double-rot13 encrypted. pgphQc8NLdiIV.pgp Description: PGP signature
Bug#562884: xscreensaver can be killed with Alt+SysRq+F
Package: xscreensaver Version: 4.24-5 Severity: grave Tags: security Justification: user security hole Hi, I'm a bit new to this bugreporting stuff. I have however discovered that it is possible to kill xscreensaver with Alt+SysRq+F (if this function is not disabled). This may comprimise security when xscreensaver-command is used with the -lock option, because the screen will be unlocked. gnome-screensaver seems not to be vulnerable to this attack. -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org