Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Annoying Solaris/CDE/NIS+ bug
From: jhorwitz () UMICH EDU (Jeff Horwitz)
Date: Tue, 13 Oct 1998 13:59:58 -0400

fyi, you can redefine CDE's LockDisplay action so it runs
/usr/openwin/bin/xlock instead of the broken CDE screenlock.  just put
the following action into the file /etc/dt/appconfig/types/C/Xlock.dt and
restart your workspace manager.

ACTION LockDisplay
        LABEL   LockDisplay
        TYPE    COMMAND
        EXEC_STRING     /usr/X11R5/bin/xlock
        DESCRIPTION     The LockDisplay action locks the workstation.

| Jeff Horwitz                                  University of Michigan |
| jhorwitz () umich edu                                         Ann Arbor |
| http://www-personal.umich.edu/~jhorwitz            ITD Login Service |

On Mon, 12 Oct 1998 19:37:21 -0400, dbell <dbell () BWAY NET>  said:

I didn't see this, or anything similar to it in the archives, but please
forgive me if it's well known:

If a Solaris 2.6 host is a NIS+ client, and any user other than root is
running CDE at the console, CDE's screen locking feature does not work.
Any random string is sufficient to unlock to console. Obviously, this is
not a root-compromise-from-the-network sort of bug, but it can be a
problem if your machine is located somewhere physically insecure
(university labs, for example). I made Sun aware of this a month ago, and
there seems to be a bug ID opened by someone else even farther back (bug
id 4115685).  This is not fixed in any current release (up through
Hardware 5/98 w/current patches). I don't have older versions to test this
on, but I can reproduce it running 2.6 on a variety of hardware (email me
if you care).

Workaround: use /usr/openwin/bin/xlock instead of CDE's screenlock, stop
using NIS+, stop using CDE.

Daniel Bell
Heuer's Law: Any feature is a bug unless it can be turned off.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]