Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: An Easy But Serious Screensaver Security Problem In X.Org

  1. #11
    Join Date
    May 2008
    Location
    Serbia, Nis
    Posts
    12

    Angry

    Yup, it works in Fedora 16!

  2. #12
    Join Date
    Jun 2010
    Location
    ฿ 16LDJ6Hrd1oN3nCoFL7BypHSEYL84ca1JR
    Posts
    1,052

    Default

    Quote Originally Posted by gururise View Post
    Holy Crap!! I just tried this in ArchLinux with all the latest packages and it too is affected by this.
    It's already fixed btw.
    https://bugs.archlinux.org/index.php...&task_id=27993

  3. #13
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    5,337

    Default

    Quote Originally Posted by Kano View Post
    This bug is certainly not so good for marketing, its not that you get a secure system when you just fix that. You just avoid the reboot - on reboot you can get to root rights with Linux using an unlocked bootloader (which is the default) and similar to any Mac system. For Win you usually need at least a cd/usb key to boot from. A screen lock only helds back the most harmless attackers
    The bigger issue is having a browser open logged into somewhere. A reboot will not get you there, this will.

  4. #14
    Join Date
    Aug 2007
    Posts
    6,678

    Default

    Well it does not expose root rights until you have got a root terminal open all the time. But when you reboot with correct options you are root.

  5. #15
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    5,337

    Default

    Again, having root on a system you may be able to cause less damage than with a logged in browser.

  6. #16
    Join Date
    Feb 2008
    Location
    Linuxland
    Posts
    5,337

    Default

    (not obviously counting APT where after getting root he will install a keylogger etc, but someone passing by when you go get something)

  7. #17
    Join Date
    Oct 2009
    Location
    .ca
    Posts
    406

    Default

    Quote Originally Posted by Kano View Post
    Well it does not expose root rights until you have got a root terminal open all the time. But when you reboot with correct options you are root.
    Unless you have your disk encrypted, then when you reboot you're exactly nobody (sure, you can manipulate the kernel but lets not go there..).

    Btw also fixed in debian unstable now http://packages.qa.debian.org/x/xorg...9T101901Z.html

  8. #18
    Join Date
    Sep 2009
    Location
    Ivanovo, Russian Federation
    Posts
    5

    Default

    Quote Originally Posted by not.sure View Post
    Unless you have your disk encrypted, then when you reboot you're exactly nobody (sure, you can manipulate the kernel but lets not go there..).
    You also can lock your BIOS and set a password for editing bootloader's commands. Of course you should also lock your PC case In addition to crypted storage this may be a little nervous for attacker.

  9. #19
    Join Date
    Oct 2007
    Posts
    178

    Default

    Arch Linux, Gnome 3, xkeyboard-config version 2.4.1-2 (w/o the patch), Thinkpad W500 with a swedish laptop. I have not been able to unlock the screen. What log file is supposedly printed to? Hmm, which is Keypad-Multiply on this keyboard?

  10. #20
    Join Date
    Aug 2007
    Posts
    6,678

    Default

    @mcdebugger

    Better: set a hd pw in the bios if possible. Even better: get a hd/ssd with integrated encryption. Even without that removing the hd and connecting to another pc will not allow immediate access to modify data. That could be done only by professionals.

    @korpenkraxar

    Most likely you need the fn key to get the blue *.
    Last edited by Kano; 01-19-2012 at 05:56 PM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •