Bug 78597 - xscreensaver lock can be bypassed by ctrl-alt-backspace
Summary: xscreensaver lock can be bypassed by ctrl-alt-backspace
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: redhat-config-xfree86
Version: 8.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Brent Fox
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-11-26 05:06 UTC by Wagner T. Correa
Modified: 2008-05-01 15:38 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2002-12-23 07:26:35 UTC
Embargoed:


Attachments (Terms of Use)

Description Wagner T. Correa 2002-11-26 05:06:41 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
Locking the screen with xscreensaver is unsafe, because anybody can hit
ctrl-alt-backspace, killing the X server and falling right into my account's
shell prompt.

Version-Release number of selected component (if applicable):
xscreensaver-4.05-6

How reproducible:
Always

Steps to Reproduce:
1. login (in text mode)
2. startx
3. lock the screen
4. press ctrl-alt-backspace


Actual Results:  The X server will die, and you will be back to your shell prompt.


Expected Results:  xscreensaver should ignore ctrl-alt-backspace.


Additional info:

Comment 1 Bill Nottingham 2002-11-26 05:16:28 UTC

*** This bug has been marked as a duplicate of 26933 ***

Comment 2 Wagner T. Correa 2002-11-27 02:25:53 UTC
There is a simple solution to the problem.  Just add this to /etc/X11/XF86Config:

Section "ServerFlags"
        Option "DontZap"  "true"
EndSection


Comment 3 Michael Lee Yohe 2002-11-27 05:58:23 UTC
Is it impossible to set the system up in init 5 so that killing an X session
will just spawn another X session?  I think wtcorrea.edu's solution
is a viable one for those who simply want to start in init 3, and probably
should be added to the documentation if it is not already there (or possibly the
X configuration application).

Comment 4 Wagner T. Correa 2002-11-28 20:48:24 UTC
The solution I suggested doesn't really solve the problem.  A malicious person
can still press ctrl-alt-F1 to get to the console where I typed startx, and then
hit ctrl-C, killing the X server and getting access to my shell prompt.

Comment 5 Bill Nottingham 2002-12-02 18:44:25 UTC
That would be a configuration issue, not a screensaver issue.

Comment 6 Brent Fox 2002-12-23 07:26:35 UTC
wtcorrea, I agree that your original suggestion doesn't really solve the
problem.  In fact, I would argue that the X screensaver isn't really a viable
way to secure your system.  

I would suggest one of two things:
1)  As Mr. Yohe points out, you can make sure that the machine boots into
runlevel 5.  That way, if they ctrl-alt-backspace, it just restarts X and
returns to the login screen (gdm).  If they hit alt-F1, it takes them to the
console login screen.
2)  If you must boot the machine in runlevel 3, then make sure to close X and
log out of the machine when you are not at the machine.

I don't think there's much else from a configuration standpoint I can do to
help.  Besides, if other people have physical access to your machine then you
are already in trouble.  All it takes is someone to press the reset button and
boot into single user mode.  Then they can do anything they want to.  Resolving
as 'notabug'



Note You need to log in before you can comment on or make changes to this bug.