Bugtraq mailing list archives
Re: Linux auto idle logout & vlock possible security problem
From: jimd () STARSHINE ORG (Jim Dennis)
Date: Sun, 31 May 1998 01:18:47 -0700
There's a possible security problem using auto idle logout programs and vt lockers. Try the following: get the pid of your shell, (sleep 10s ; kill -HUP <pid-of-your-shell) & vlock -a after vlock -a, you can't change the virtual console on a Linux terminal. But if you log in, start vlock -a, enter your password you can change vt... The same happens when an auto idle logout program logs you off. The vlock (maybe lockvt also) program doesn't terminate itself after a SIGHUP, which is ok, but after this, anyone can log in, start vlock -a, enters his/her password, and get full access to the console. Possible solutions: - don't use vlock/lockvt - don't use auto idle logout program - as root, never leave your terminal. log off. if you want to leave, use screen, detach it and log out.
Are there any known security issues with 'screen'? I personally suggest patching the sources to force it to put its socket (unix domain) in ~/tmp/.screen --- so users can make sure that the directory has appropriate permissions. Has anyone vette'd the code? -- Jim Dennis (800) 938-4078 consulting () starshine org Proprietor, Starshine Technical Services: http://www.starshine.org
Current thread:
- Re: Linux auto idle logout & vlock possible security problem Jim Dennis (May 31)