Hi,
On Thu, Nov 18, 1999 at 01:48:39PM +0100, m4rcyS wrote:
> >Plz take a look at this:
> >
> >[> >[marcys_at_pentium marcys]$ vlock
> >This TTY is now locked.
> >Use Alt-function keys to switch to other virtual consoles.
> >Please enter the password to unlock.
> >marcys's Password: [invalid passwd typed here]
> >root's Password: [valid MARCYS's passwd typed]
> >[> >[marcys_at_pentium marcys]$
> >
> >Shouldn't vlock accept root's passwd except marcys's passwd?
If your vlock isn't setuid-root and uses PAM (which in turn uses special
setuid-root binary helper to check passwords) then vlock works as expected.
TTY may be unlocked only by user's password independently of what vlock
prints.
The reason for this behavoiur is that the helper password check program only
allows unprivileged users to verify their own passwords. Allowing them to
verify root's password opens a possibility for a brute-force attack.
In this scheme vlock is just an ordinary application invoked by user and
doesn't have any special privileges.
So the proper fix for the problem is a fix of vlock's prompts to
reflect what's really doing.
You may also wish to make vlock setuid-root but I don't recommend to do so.
Best regards
Andrey V.
Savochkin
Received on Nov 20 1999
Intro
