[2942] in Athena Bugs
aliasing 'logout'
daemon@ATHENA.MIT.EDU (who@ATHENA.MIT.EDU)
Mon Aug 21 04:07:39 1989
From: <who@ATHENA.MIT.EDU>
To: bugs@ATHENA.MIT.EDU
Date: Mon, 21 Aug 89 04:07:18 EDT
I personally feel (and I doubt I'm alone in this) that aliasing logout to a
script that can be terminated by ^C is
****A VERY BAD IDEA****
For those of you who don't know what I'm talking about, observe:
/usr/athena/lib/init/cshrc:
if ($?XSESSION) alias logout '/usr/athena/end_session && exit'
Now a user wants to leave. They used to be able to type logout (granted, it
was only in one window), get up and walk away, confident that they would be
logged out.
What happens now (assume the user has set skip_x_startup and skip_initial_xterm,
has a .startup.X, and calls from within it several xterms, none of which uses
the -ls option) is far worse by comparison. Now, typing logout runs /usr/athena
/end_session, a shell script which DOES NOT SECURE THE KEYBOARD. Not in 10
seconds, and (if the load is very high) not in 2 minutes. In other words,
a user can type 'logout' and walk away. Then all anyone has to do is hit
^C and he instantly has access to another user's account, K-tickets included.
****THIS IS A SERIOUS SECURITY ISSUE****
This can probably be making the first line of the script a keyboard lock.
If this can't be changed to meet users' expectations from the 'logout' command,
it should probably be unaliased. Please let me know what changes are implemented
William Ober <who>
(s)Training and Documentation
E40-358 area
(usually)
