Bug 21744 - nis and screen locking problems
Summary: nis and screen locking problems
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: xscreensaver   
(Show other bugs)
Version: 7.0
Hardware: i386
OS: Linux
low
low
Target Milestone: ---
Assignee: Bill Nottingham
QA Contact:
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2000-12-05 15:21 UTC by David G. Richardson
Modified: 2014-03-17 02:17 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-12-05 15:21:40 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description David G. Richardson 2000-12-05 15:21:37 UTC 
When an nis password is changed for a user that is currently logged into X 
and using xscreensaver with a password required, they can use their new 
password and old password to unlock the screen until they log out and back 
in again (at which point they can only use the new password to unlock the 
screen).

I tired logging in from a console and through telnet with the old password 
once I noticed this, and was unable to.  So it looks like the problem is 
with xscreensaver caching the password someplace.  Could this possiblely 
allow a local process to retreive a user's password from any locked 
displays?  This kind of seems like the motivation for not allowing the 
root password to unlock the display anymore (you could do it in redhat 
6.2, but not in 7.0)
Comment 1 Bill Nottingham 2000-12-05 15:54:36 UTC 
It caches the crypted string in NIS, IIRC. This would only be accessible
by processes run by the same users that run xscreensaver, who can get
that string anyways.
Note You need to log in before you can comment on or make changes to this bug.