Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Linux auto idle logout & vlock possible security problem
From: jimd () STARSHINE ORG (Jim Dennis)
Date: Sun, 31 May 1998 01:18:47 -0700

There's a possible security problem using auto idle logout programs and vt
Try the following:
get the pid of your shell,
(sleep 10s ; kill -HUP <pid-of-your-shell) &
vlock -a

after vlock -a, you can't change the virtual console on a Linux terminal.
But if you log in, start vlock -a, enter your password you can change

The same happens when an auto idle logout program logs you off. The vlock
(maybe lockvt also)  program doesn't terminate itself after a SIGHUP,
which is ok, but after this, anyone can log in, start vlock -a, enters
his/her password, and get full access to the console.

Possible solutions:
- don't use vlock/lockvt
- don't use auto idle logout program
- as root, never leave your terminal. log off.
if you want to leave, use screen, detach it and log out.

        Are there any known security issues with 'screen'?
        I personally suggest patching the sources to force
        it to put its socket (unix domain) in ~/tmp/.screen
        --- so users can make sure that the directory has
        appropriate permissions.

        Has anyone vette'd the code?

Jim Dennis  (800) 938-4078              consulting () starshine org
Proprietor, Starshine Technical Services:  http://www.starshine.org

  By Date           By Thread  

Current thread:
  • Re: Linux auto idle logout & vlock possible security problem Jim Dennis (May 31)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]