Re: [SLUG] Screensaver trick - poor security

• Next message: Paul M Foster: "Re: [SLUG] Solicitation of opinions"
• Previous message: Glen: "[SLUG] hmm... check this out :)"
• In reply to: Smitty: "Re: [SLUG] Screensaver trick - poor security"
• Next in thread: Derek Glidden: "Re: [SLUG] Screensaver trick - poor security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Mon, Jun 04, 2001 at 10:20:59AM -0400, Smitty wrote:

> There is a difference between running a screensaver with the
> configuration set with the desktop utility and accessing it via the
> command line with root privilege. The "server" in this case is the
> directory where the screensaver resides, as evidenced by the error
> message output when I attempted the screensaver trick. This is not an
> authorized access on my box. The security risk is very evident to me -
> an application is being accessed by unusual means. Something a cracker
> would attempt. Not allowed here, Paul.
> Smitty
>

<xscreensaver> -root doesn't mean you're accessing an X screensaver with
root privileges. It means you want the screensaver to run in the "root"
window of X. I don't know what error message you got, but a directory
isn't a server. And the only way someone could run an application by
"unusual means" (presuming they don't have physical access) is to gain
root access to your box. With adequate firewalling and routine security
updates of your packages, this is a negligible threat.

Obviously, you can set security however you like on your system. I just
fail to see the threat from a non-privileged user running a screensaver.
If you really want to lock down security on your X session though, I'd
suggest eliminating the possibility of running an xterm. That way, the
only programs a user can run in an X session are those presented in the
menu. (Of course, with some window managers, there is a key combination
that brings up an xterm without any desktop icon being present. And
nothing prevents the user from Ctrl-Alt-Fn-ing out to a console and
running some non-X program from there.)

Paul

>
> Paul M Foster wrote:
> >
> > On Sun, Jun 03, 2001 at 03:07:16PM -0400, Smitty wrote:
> >
> > > This only works if your security configuration is low. A user cannot
> > > connect to that server on my box. Anyone who can do that trick as a
> > > user should evaluate the consequences of their security set-up.
> > > Smitty
> > >
> > > >
> > > > P.S.
> > > > Thank you, Derek, for teaching me that cool screensaver/backgroud trick.
> > > > For any of you that weren't there, open up a console window and type the
> > > > following:
> > > >
> > > > <path-to-screensaver> -root
> > > >
> >
> > What server? The X server? I don't understand why a non-privileged user
> > couldn't run a screensaver in their own X session. Nor what security
> > risk this is.
> >
> > Paul

• Next message: Paul M Foster: "Re: [SLUG] Solicitation of opinions"
• Previous message: Glen: "[SLUG] hmm... check this out :)"
• In reply to: Smitty: "Re: [SLUG] Screensaver trick - poor security"
• Next in thread: Derek Glidden: "Re: [SLUG] Screensaver trick - poor security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:51:37 EDT