Home page logo

bugtraq logo Bugtraq mailing list archives

Re: vlock vulnerability in RedHat 7.0
From: Luca Berra <bluca () comedia it>
Date: Wed, 8 Nov 2000 21:46:14 +0100

On Wed, Nov 08, 2000 at 09:53:24AM -0500, Jon Lewis wrote:
Contrary to the prompt and the man page, the root password will not unlock
this VC.  The user's password, entered at either of the (jlewis|root)'s
Password: prompts will unlock the VC.  I've tested this on Red Hat 6.2 and
It's a feature!

This is due to PAM, all this type of programs (xlock is another)
are not setuid, the pam libraries invoke a suid helper /sbin/pwdb_chkpwd
that checks the password only for the user that is invoking it.
so no more root unlocking display.
(this is not an issue if root can remotely login to the machine and
kill the lock process)


Luca Berra -- bluca () comedia it
    Communication Media & Services S.r.l.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]