Subject: [Cooker] Please switch of kdm AutoReLogin: painful and dangerous
Date: Wed, 13 Feb 2002 16:57:59 +0100 (CET)
From: Stephane Gourichon <Stephane.Gourichon at lip6.fr>
To: <cooker at linux-mandrake.com>

Hello,

Mandrake 8.1 introduced a new feature, through the new kdm: AutoReLogin.
It is supposed to build back the user session if X crashes (or
Ctrl-Alt-Backspace is pressed, which is a handy way not to wait for
eons for KDE to start when one actually wants everything else but KDE,
but sometimes the default goes back to starting KDE anyway).

Be aware that this opens a security hole !

Whenever a screen is xlocked (xscreensaver, etc...), anyone just has to
press Ctrl-Alt-Backspace to get re-logged in as the previous user, but
without the screen locked. (See
http://www.google.com/search?q=autorelogin%20security)

IMO, this should be turned off by default! (AutoReLogin=false in kdmrc)

Perhaps, after disabling it by default, Mandrake may consider turning
the default back to "on" in low security levels and/or if autologin is
set to true.

(I don't know, if it is fixed in 8.2, and I can't test now.)

Thanks.

For help, email discuss-helpmandrakesecure.net; to unsubscribe send a
message to discuss-unsubscribemandrakesecure.net. To visit MandrakeSecure,
go to http://www.mandrakesecure.net/.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]