[6877] in bugtraq
Linux auto idle logout & vlock possible security problem
daemon@ATHENA.MIT.EDU (Czako Krisztian)
Sat May 30 17:17:33 1998
Date: Fri, 29 May 1998 11:29:38 +0200
Reply-To: Czako Krisztian <slapic@FIDO.HU>
From: Czako Krisztian <slapic@FIDO.HU>
To: BUGTRAQ@NETSPACE.ORG
--5mCyUwZo2JvN/JJP
Content-Type: text/plain; charset=us-ascii
There's a possible security problem using auto idle logout programs and vt
lockers.
Try the following:
get the pid of your shell,
(sleep 10s ; kill -HUP <pid-of-your-shell) &
vlock -a
after vlock -a, you can't change the virtual console on a Linux terminal.
But if you log in, start vlock -a, enter your password you can change
vt...
The same happens when an auto idle logout program logs you off. The vlock
(maybe lockvt also) program doesn't terminate itself after a SIGHUP,
which is ok, but after this, anyone can log in, start vlock -a, enters
his/her password, and get full access to the console.
Possible solutions:
- don't use vlock/lockvt
- don't use auto idle logout program
- as root, never leave your terminal. log off.
if you want to leave, use screen, detach it and log out.
Regards,
Slapic
--
PGP 0x96A9B35D / 37 93 43 2A 81 5C B3 0D CD C4 94 F8 FA D4 AD C5
To get my key: mail slapic@orion.fido.hu -s "PGPKEY" < /dev/null
--5mCyUwZo2JvN/JJP
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
iQCVAgUBNW6AAT1bHc+WqbNdAQFDkwP8Cv3YReOuUbLBsruWbnYK7FFEg+7ZLLKk
I6hA8RnV27oUIH+/hrZwIbVOKV3X6IZQ3OcBdOnPeXQfasO0zZZLsyIB6RZvrC9E
o71s4+56a4gBO5X+XsHLiDvviWU3yCCLC/MgjEsETBJQLspcqwXdF29q57w/qTqU
45AxKAaYS+0=
=7U61
-----END PGP SIGNATURE-----
--5mCyUwZo2JvN/JJP--
