[8211] in bugtraq
Re: Annoying Solaris/CDE/NIS+ bug
daemon@ATHENA.MIT.EDU (Jeff Horwitz)
Wed Oct 14 15:17:21 1998
Date: Tue, 13 Oct 1998 13:59:58 -0400
Reply-To: Jeff Horwitz <jhorwitz@UMICH.EDU>
From: Jeff Horwitz <jhorwitz@UMICH.EDU>
X-To: dbell <dbell@BWAY.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 12 Oct 1998 19:37:21 EDT."
<Pine.LNX.3.96.981012191955.7917A-100000@ida.bway.net>
fyi, you can redefine CDE's LockDisplay action so it runs
/usr/openwin/bin/xlock instead of the broken CDE screenlock. just put
the following action into the file /etc/dt/appconfig/types/C/Xlock.dt and
restart your workspace manager.
ACTION LockDisplay
{
LABEL LockDisplay
TYPE COMMAND
EXEC_STRING /usr/X11R5/bin/xlock
WINDOW_TYPE NO_STDIO
DESCRIPTION The LockDisplay action locks the workstation.
}
------------------------------------------------------------------------
| Jeff Horwitz University of Michigan |
| jhorwitz@umich.edu Ann Arbor |
| http://www-personal.umich.edu/~jhorwitz ITD Login Service |
------------------------------------------------------------------------
On Mon, 12 Oct 1998 19:37:21 -0400, dbell <dbell@BWAY.NET> said:
> I didn't see this, or anything similar to it in the archives, but please
> forgive me if it's well known:
>
> If a Solaris 2.6 host is a NIS+ client, and any user other than root is
> running CDE at the console, CDE's screen locking feature does not work.
> Any random string is sufficient to unlock to console. Obviously, this is
> not a root-compromise-from-the-network sort of bug, but it can be a
> problem if your machine is located somewhere physically insecure
> (university labs, for example). I made Sun aware of this a month ago, and
> there seems to be a bug ID opened by someone else even farther back (bug
> id 4115685). This is not fixed in any current release (up through
> Hardware 5/98 w/current patches). I don't have older versions to test this
> on, but I can reproduce it running 2.6 on a variety of hardware (email me
> if you care).
>
> Workaround: use /usr/openwin/bin/xlock instead of CDE's screenlock, stop
> using NIS+, stop using CDE.
>
>
> --
> Daniel Bell
> Heuer's Law: Any feature is a bug unless it can be turned off.
>
