[634] in linux-security and linux-alert archive
Re: [linux-security] Security hole in xlock
daemon@ATHENA.MIT.EDU (Jeff Uphoff)
Mon Mar 11 19:57:36 1996
Date: Mon, 11 Mar 1996 18:29:06 -0500
From: Jeff Uphoff <juphoff@tarsier.cv.nrao.edu>
To: linux-security@tarsier.cv.nrao.edu
There have been several followups to this original message:
Robert Nichols <rnichols@interaccess.com> wrote:
> I don't know whether this is Linux-specific, but 'xlock' really should
> disable Ctrl-Alt-Backspace. If X is started from a login session, C-A-B
> allows anyone walking up to the keyboard to escape back to the invoking
> user's login shell unless that user had the foresight to use 'exec' when
> invoking X.
I am summarizing them in this one post rather than forwarding all of the
individual messages to the list:
(Several people also noted that you can use Ctrl+Alt+F<whatever> to
switch to another VC and then suspend or kill X to gain access to the
console user's login session.)
One method to use to address this problem is to run 'xdm' as an
init-level process (i.e. from /etc/inittab or from an rc script such as
/etc/rc.d/rc.local, or your distribution's equivalent). C-A-D is not
disabled in this case, but if someone uses it to blast out of 'xlock'
then they are greeted by an 'xdm' login screen and thus do not end up in
a user's console login session (since there is no such session).
Another method is to add a "DontZap" line to your X11 server
configuration file, effectively disabling the C-A-D key-sequence. This
is explained the XF86Config(5) manpage:
DontZap This disallows the use of the Ctrl+Alt+Backspace
sequence. This sequence allows you to terminate
the X server. Setting DontZap allows this key
sequence to be passed to clients.
Credits on this to:
Jon Lewis <jlewis@inorganic5.fdt.net>, VC switching.
Darin Fisher <darinf@pfm.net>, using xdm.
Michel LESPINASSE <walken@via.ecp.fr>, VC switching.
Gerald D. Anderson <gander@ns.vte.com>, using xdm.
Christian Huettermann <zrahu01@zdv.uni-tuebingen.de>, using DontZap.
Cy Schubert <cschuber@uumail.gov.bc.ca>, using DontZap.
Jean-Francois Patenaude <patch@gateway.sapience.ca>, VC switching.
Anthony C. Zboralski <frantic@worldnet.net>, using DontZap.
