Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_4

Bugtraq archives for 4th quarter (Oct-Dec) 1998: Re: Annoying Solaris/CDE/NIS+ bug

Re: Annoying Solaris/CDE/NIS+ bug

Jeff Horwitz (jhorwitzUMICH.EDU)
Tue, 13 Oct 1998 13:59:58 -0400

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Markus Stumpf: "Re: Followup to FP98 and other Frontpage bugs"
Previous message: Peter van Dijk: "Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering"
In reply to: dbell: "Annoying Solaris/CDE/NIS+ bug"

fyi, you can redefine CDE's LockDisplay action so it runs
/usr/openwin/bin/xlock instead of the broken CDE screenlock.  just put
the following action into the file /etc/dt/appconfig/types/C/Xlock.dt and
restart your workspace manager.

ACTION LockDisplay
{
        LABEL   LockDisplay
        TYPE    COMMAND
        EXEC_STRING     /usr/X11R5/bin/xlock
        WINDOW_TYPE     NO_STDIO
        DESCRIPTION     The LockDisplay action locks the workstation.
}

------------------------------------------------------------------------
| Jeff Horwitz                                  University of Michigan |
| jhorwitzumich.edu                                         Ann Arbor |
| http://www-personal.umich.edu/~jhorwitz            ITD Login Service |
------------------------------------------------------------------------

On Mon, 12 Oct 1998 19:37:21 -0400, dbell <dbellBWAY.NET>  said:

> I didn't see this, or anything similar to it in the archives, but please
> forgive me if it's well known:
>
> If a Solaris 2.6 host is a NIS+ client, and any user other than root is
> running CDE at the console, CDE's screen locking feature does not work.
> Any random string is sufficient to unlock to console. Obviously, this is
> not a root-compromise-from-the-network sort of bug, but it can be a
> problem if your machine is located somewhere physically insecure
> (university labs, for example). I made Sun aware of this a month ago, and
> there seems to be a bug ID opened by someone else even farther back (bug
> id 4115685).  This is not fixed in any current release (up through
> Hardware 5/98 w/current patches). I don't have older versions to test this
> on, but I can reproduce it running 2.6 on a variety of hardware (email me
> if you care).
>
> Workaround: use /usr/openwin/bin/xlock instead of CDE's screenlock, stop
> using NIS+, stop using CDE.
>
>
> --
> Daniel Bell
> Heuer's Law: Any feature is a bug unless it can be turned off.
>

Next message: Markus Stumpf: "Re: Followup to FP98 and other Frontpage bugs"
Previous message: Peter van Dijk: "Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering"
In reply to: dbell: "Annoying Solaris/CDE/NIS+ bug"