[1491] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Re: X-Windows security hole?

daemon@ATHENA.MIT.EDU (Rogier Wolff)
Tue Apr 1 02:30:06 1997

To: nykros@sol.info.unlp.edu.ar (Roman Garcia)
Date: Tue, 1 Apr 1997 09:01:06 +0200 (MET DST)
Cc: linux-security@redhat.com
In-Reply-To: <3.0.1.32.19970331190904.00690398@sol.info.unlp.edu.ar> from "Roman Garcia" at Mar 31, 97 07:09:04 pm
From: R.E.Wolff@BitWizard.nl (Rogier Wolff)
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com

Roman Garcia wrote:
> 
> Hi,

> Maybe I found a hole in the security on Linux running X-Windows.
> Supose that you logged as root. If you locks the screen (at least
> using openwindows+virtual desktop and xlock), anybody can press
> <Ctrl><Alt><Backspace>, that kills the xserver, giving the root
> prompt in the console. You can disable this in the XF86Config file,
> but anybody can press <Ctrl><Alt><Fn> and then <Ctrl><C> killing the
> xserver and giving the root prompt.

> How can disable <Ctrl><Alt>F_n>? Are there other ways to get root
> prompt?  How much secure is xlock?

> Thanks in advance. Roman Garcia.

There was talk about allowing a config option to disable console
switching on the XFree list. I don't rember wether that was added or
not, and what the option would be.

There are several ways to prevent the "root" access you describe.
You could use "xdm". That way nobody has to login on a VC to start
X. If you don't have enough memory to allow running xdm all the time,
you can type 
	exec startx
instead of the normal "startx". This should log you out as soon as 
the X server quits. 

					Roger.


home help back first fref pref prev next nref lref last post