[1804] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] Linux auto idle logout & vlock possible security problem

daemon@ATHENA.MIT.EDU (Czako Krisztian)
Sat May 30 03:04:17 1998

Date: Fri, 29 May 1998 20:32:06 +0200
From: Czako Krisztian <slapic@fido.hu>
To: linux-security@redhat.com
Resent-From: linux-security@redhat.com
Reply-To: linux-security@redhat.com


--5l+BnMqAQyZLvTJw
Content-Type: text/plain; charset=us-ascii

There's a possible security problem using auto idle logout programs and vt
lockers.
Try the following:
get the pid of your shell,
(sleep 10s ; kill -HUP <pid-of-your-shell) &
vlock -a

after vlock -a, you can't change the virtual console on a Linux terminal.
But if you log in, start vlock -a, enter your password you can change 
vt...

The same happens when an auto idle logout program logs you off. The vlock
(maybe lockvt also)  program doesn't terminate itself after a SIGHUP,
which is ok, but after this, anyone can log in, start vlock -a, enters
his/her password, and get full access to the console.

Possible solutions:
- don't use vlock/lockvt
- don't use auto idle logout program
- as root, never leave your terminal. log off.
if you want to leave, use screen, detach it and log out.

Regards,
Slapic

-- 
PGP 0x96A9B35D / 37 93 43 2A 81 5C B3 0D  CD C4 94 F8 FA D4 AD C5
To get my key: mail slapic@orion.fido.hu -s "PGPKEY" < /dev/null

--5l+BnMqAQyZLvTJw
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia

iQCVAgUBNW7/JD1bHc+WqbNdAQHi7QP/fXUlW4x6ZBmdNRvrKxgTrYDl5buTRqQR
eMCII005sTKIz8ufPahAWMD87xNcCozUMURJFOwdB27EuAAgPnrp0ToFH+SmYfMf
GaMBsE0NcL9UXLS7z14BEUpsWouw/05OSTt7iMMct+oZMGked3pJksyfVswzOJ7b
6roFL2TuPvk=
=OZR2
-----END PGP SIGNATURE-----

--5l+BnMqAQyZLvTJw--

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post