[12385] in bugtraq
Re: Mac OS 9 Idle Lock Bug
daemon@ATHENA.MIT.EDU (gabriel rosenkoetter)
Mon Nov 1 16:02:32 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <19991029165735.J17934@cs.swarthmore.edu>
Date: Fri, 29 Oct 1999 16:57:35 -0400
Reply-To: gabriel rosenkoetter <gr@CS.SWARTHMORE.EDU>
From: gabriel rosenkoetter <gr@CS.SWARTHMORE.EDU>
X-To: Sean Sosik-Hamor <ssh@SHN.NU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <113ADF99134FD31181F300A0D21C79870166FD@SCHLOSS-NET>; from
sflothow@SCHLOSS-ONLINE.DE on Fri, Oct 29,
1999 at 09:57:18AM +0200
On Fri, Oct 29, 1999 at 09:57:18AM +0200, Flothow, Sebastian wrote:
> so you can log out the current user and quit all apps without having to
> enter a password? i think this is the real security flaw, not apps which ask
> wether you want to save changes.
No, the dialogs still show up if you try to quit from that logout
screen, which means that you can click cancel in any of them, cancel the
logout process, and have access to the "locked" machine.
Having the logout button quit apps is no different than having a logout
button in xlock, and is a regular practice in any crowded lab. (The one
here doesn't show up for half an hour.) It's not fair for others to
occupy a machine they're not actually using in a lab.
I'll grant that Mac OS 9 is a little bit different in that if you have
some long running process you can't just ssh in and run it, but the only
kind of long-running process anybody could want to do on a mac is a
Photoshop filter (or similar).
This will be an incredible boon to people who run labs full of macs for
students at universities, provided Apple gets their act together so that
it isn't blatantly insecure (defeating the purpose of having a locking
procedure at all).
~ g r @cs.swarthmore.edu
