Bug#677418: gpm shares its clipboard among different users
On Wed, 2012-06-13 at 16:56 -0500, Peter Samuelson wrote: Likewise, if you log out, your Linux console screen is still readable for the next user. And even if you clear the screen before you log out, the next user can still hit Shift-Prior (aka Shift-PageUp) and see some of your work. Well but a) that's something one would clearly see; it's not hidden from the user b) therefore we have now per default a .bash_logout which resets the screen. Who, in your opinion, should clear the scrollback buffer and the gpm clipboard? .bash_logout? getty? As you say, scrollback buffer is usually cleared by .bash_logout and gpm should simply have a clipboard per authenticated user that is cleared when a user logs out of his last session, since even if it was kept _per user_ (which is not the case currently) it would be somehow unclean if it was still there on new logins after the user had logged out all sessions. Your X server also doesn't bring back your clipboard, when you re-login as the same user. Cheers, Chris. smime.p7s Description: S/MIME cryptographic signature
Bug#677418: gpm shares its clipboard among different users
Package: gpm Version: 1.20.4-6 Severity: grave Tags: security upstream Justification: user security hole Hi. Not sure whether noone has noticed this so far, but it seems to be worth a CVE, IMHO. As one can easily test, gpm uses one clip-board space for all users (including root). So if any of them marks anything sensitive, a following user can gather this information. Cheers, Chris. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#677418: gpm shares its clipboard among different users
As one can easily test, gpm uses one clip-board space for all users (including root). So if any of them marks anything sensitive, a following user can gather this information. Likewise, if you log out, your Linux console screen is still readable for the next user. And even if you clear the screen before you log out, the next user can still hit Shift-Prior (aka Shift-PageUp) and see some of your work. Who, in your opinion, should clear the scrollback buffer and the gpm clipboard? .bash_logout? getty? -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
