Your message dated Wed, 07 Apr 2010 12:03:39 +0100
with message-id <4bbc668b.9030...@debian.org>
and subject line Re: Bug#576796: xtrlock can be bypassed using TTY's
has caused the Debian Bug report #576796,
regarding xtrlock can be bypassed using TTY's
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
576796: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=576796
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: xtrlock
Version: 2.0-12
Severity: grave
Tags: security
Justification: user security hole
If one attempts to switch to a TTY while xtrlock is running, it allows the
system to switch to
specified TTY where xtrlock can be easily killed with "killall xtrlock". I run
ratpoison, and
executing xtrlock by normal means works fine, but ctrl+alt+FN changes to said
TTY ratpoison was
launched from, ^z then "killall xtrlock" terminates xtrlock and switching back
allows user
access, bypassing credentials.
-- System Information:
Debian Release: 5.0.4
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.33.1 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages xtrlock depends on:
ii libc6 2.7-18lenny2 GNU C Library: Shared libraries
ii libx11-6 2:1.1.5-2 X11 client-side library
xtrlock recommends no packages.
xtrlock suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Hi,
thims wrote:
Package: xtrlock
Version: 2.0-12
Severity: grave
Tags: security
Justification: user security hole
If one attempts to switch to a TTY while xtrlock is running, it allows the system to switch to
specified TTY where xtrlock can be easily killed with "killall xtrlock". I run ratpoison, and
executing xtrlock by normal means works fine, but ctrl+alt+FN changes to said TTY ratpoison was
launched from, ^z then "killall xtrlock" terminates xtrlock and switching back allows user
access, bypassing credentials.
I'm sorry, but this isn't a bug in xtrlock. Clearly, a user having
access to one of your shells can kill xtrlock (consider the case of you
leaving an ssh connection logged in elsewhere). There's no need to run
your wm from a TTY - you could just log in via xdm or gdm, for example,
and run ratpoison in .xsession
Alternatively, use the DontVTSwitch option in xorg.conf (documented in
the man page), which will disable the option of switching out of X using
the Control-Alt-FN keystroke.
Regards,
Matthew
--- End Message ---