[6882] in bugtraq
Re: Linux auto idle logout & vlock possible security problem
daemon@ATHENA.MIT.EDU (Jim Dennis)
Mon Jun 1 14:26:56 1998
Date: Sun, 31 May 1998 01:18:47 -0700
Reply-To: Jim Dennis <jimd@STARSHINE.ORG>
From: Jim Dennis <jimd@STARSHINE.ORG>
X-To: Czako Krisztian <slapic@FIDO.HU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19980529112938.08548@orion> Message Apparently From Czako
Krisztian <slapic@FIDO.HU> Dated Fri, 29 May 1998 11:29:38 +0200.
> There's a possible security problem using auto idle logout programs and vt
> lockers.
> Try the following:
> get the pid of your shell,
> (sleep 10s ; kill -HUP <pid-of-your-shell) &
> vlock -a
>
> after vlock -a, you can't change the virtual console on a Linux terminal.
> But if you log in, start vlock -a, enter your password you can change
> vt...
>
> The same happens when an auto idle logout program logs you off. The vlock
> (maybe lockvt also) program doesn't terminate itself after a SIGHUP,
> which is ok, but after this, anyone can log in, start vlock -a, enters
> his/her password, and get full access to the console.
>
> Possible solutions:
> - don't use vlock/lockvt
> - don't use auto idle logout program
> - as root, never leave your terminal. log off.
> if you want to leave, use screen, detach it and log out.
Are there any known security issues with 'screen'?
I personally suggest patching the sources to force
it to put its socket (unix domain) in ~/tmp/.screen
--- so users can make sure that the directory has
appropriate permissions.
Has anyone vette'd the code?
--
Jim Dennis (800) 938-4078 consulting@starshine.org
Proprietor, Starshine Technical Services: http://www.starshine.org
