--- Tim Waugh <[EMAIL PROTECTED]> wrote:
> On Tue, Sep 04, 2001 at 12:31:13PM +1000, Andrew van
> der Stock wrote:
>
> > The mode of the .vnc directory should be 700 not,
> 755. There is no reason to
> > create this directory as 755, as this allows any
> user to discover the user's
> > VNC password.
>
> Although the 'allows any user to discover the user's
> VNC password' bit
> is incorrect (see above), I agree that this
> directory ought to be more
> secure. That requires a change to the vncserver
> script as well.
>
The biggest problem I see is that the password script
can be easily deleted, then recreated... this would
allow an attacker to get access to the gui desktop for
a while (although it would be obvious someone has been
in the system). They could thereby compromise the
network or if the user that was cracked had enough
authority, they could create there own account and
replace the old password. This is way too easy!
=====
SI Reasoning
[EMAIL PROTECTED]
gnupg/pgp key id 035213BC
__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to [EMAIL PROTECTED]
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
