Bug 21744

Summary: nis and screen locking problems
Product: [Retired] Red Hat Linux Reporter: David G. Richardson <david_g_richardson>
Component: xscreensaverAssignee: Bill Nottingham <notting>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 7.0CC: rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-12-05 15:21:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David G. Richardson 2000-12-05 15:21:37 UTC 
When an nis password is changed for a user that is currently logged into X 
and using xscreensaver with a password required, they can use their new 
password and old password to unlock the screen until they log out and back 
in again (at which point they can only use the new password to unlock the 
screen).

I tired logging in from a console and through telnet with the old password 
once I noticed this, and was unable to.  So it looks like the problem is 
with xscreensaver caching the password someplace.  Could this possiblely 
allow a local process to retreive a user's password from any locked 
displays?  This kind of seems like the motivation for not allowing the 
root password to unlock the display anymore (you could do it in redhat 
6.2, but not in 7.0)
Comment 1 Bill Nottingham 2000-12-05 15:54:36 UTC 
It caches the crypted string in NIS, IIRC. This would only be accessible
by processes run by the same users that run xscreensaver, who can get
that string anyways.