Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_4

Bugtraq archives for 4th quarter (Oct-Dec) 1998: Re: Annoying Solaris/CDE/NIS+ bug

Re: Annoying Solaris/CDE/NIS+ bug

Allen Myers - Verio Consulting Group (myersVERIO.NET)
Wed, 14 Oct 1998 13:43:45 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Kevin Way: "Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering"
Previous message: Kragen: "Re: Possible DoS in rsh"

]       [On Oct 13, Frank Cusack wrote:]
]        Subject: Re: Annoying Solaris/CDE/NIS+ bug
] dbell <dbellBWAY.NET> writes:
]
] > I didn't see this, or anything similar to it in the archives, but please
] > forgive me if it's well known:
] >
] > If a Solaris 2.6 host is a NIS+ client, and any user other than root is
] > running CDE at the console, CDE's screen locking feature does not work.
] > Any random string is sufficient to unlock to console. Obviously, this is
]
] The bug has nothing to do with NIS+. The CDE screenlocker (dtsession)
] accepts either the user's password or the root password to unlock
] the screen.

Not true. I've seen this at several sites (and root's password was
_definitely_ not empty). Here's the first paragraph from Sun's bug
report...

------------------------ 8< ------------------------------------------
Bug Id: 4115685
Category: cde
Subcategory: screenlock
State: integrated
Synopsis: CDE screen lock not working properly for nis+ users
Description:
login in as a nis+ user, using lock from CDE front panel, screen locks
but at the prompt any password, even no password unlocks the screen.
root user doesn't have this problem.  Xlock doesnot have this problem.
multiple machines have the same problem.  all the recommended patches
are installed, problem happens even for newly defined users.
------------------------ 8< ------------------------------------------

]
] When root doesn't have a password, it accepts anything. A bug? hardly.
] Install a root password.

see above ...

]
] [...]
]
] --
] Frank Cusack       + Today's Haiku   No keyboard present
] Icon CMT Corp.     + error message:  Hit F1 to continue
] PGP: C001AA75      +                 Zen engineering?
]-- End of excerpt from <fcusackICONNET.NET>



--

- Allen

                 V E R I O  Consulting Group
_____________________________________________________________________

Allen Myers . Chief Technology Officer              url: socal.verio.net
e: myersverio.net                                    t: 800/273.5600
8001 Irvine Center Drive                              t: 949/450.8400
Suite 1200                                            f: 949/450.8410
Irvine, CA 92618-2934              24 hour Tech Support: 888/306.4638
_____________________________________________________________________

>>>> Black holes are where God divided by zero.

Next message: Kevin Way: "Re: [NTSEC] By-passing MS Proxy 2.0 and others packet filtering"
Previous message: Kragen: "Re: Possible DoS in rsh"