https://bugzilla.novell.com/show_bug.cgi?id=229336 ------- Comment #2 from mhopf@novell.com 2006-12-18 08:57 MST ------- WTF?!? root can *always* log into a machine (as long as runlevel 5 has gettys running) and kill the screensaver. This gives a false sense of security, and is thus IMHO even contra productive. Also this is about KDE and not Gnome, in contrast to the mentioned bug report. I also couldn't find an option in the control center to change the behavior. But of course I might have overlooked it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=229336 ------- Comment #4 from mhopf@novell.com 2007-01-02 09:54 MST ------- (In reply to comment #3)

About security, you must have a really bad admin (which teaches you) to enter the root password into everything that looks like a screensaver (prompt).

You're not really thinking before making these accusations?!? With almost 10 years of security experience (5+ years as admin, building up a completely new infrastructure at the University for my Professor and only a single break-in due to a *very* bad password and wrong access rights of a different user, who subsequently typed in the root password) I think I know a bit about this topic. Still learning, of course. Don't tell me this type of user shouldn't have the root pwd, I know that myself (it's never the admin who makes the policy...). By prohibiting killing the screensaver with the root password you gain nothing. Nada. Zero. I already typed it in, so if this was the screensaver of a bad guy it would have been captured anyway. But this is about a completely different issue. It's just much more convenient, to kill the screensaver with the root password if the PAM module cannot authenticate you any more (network doesn't work any longer after suspend, so NIS doesn't know you any longer). I'm talking about my personal workstation and laptops, where I started the locking program myself. It's also much more convenient to be able to remove the screen saver without locking into another computer (here where everybody knows the root password) if you absolutely need to access a computer. Hell, you would log into the computer with the root password anyway. It's a different issue in an environment with untrusted users, of course. There you should never type in the root password in an unsafe environment, but under linux we almost by definition don't have something like that. Windows has Ctrl-Alt-Del for that (which is captured by the kernel), but Linux doesn't have an equivalent. So anybody could fake the login screen and capture the root password. This is no different to a "personalized" screen locker. By the way - the proposed behavior (being able to kill with root pwd) is also the default behavior of both xlock and xscreensaver... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=229336 coolo@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |security-team@suse.de ------- Comment #6 from coolo@novell.com 2007-01-10 02:22 MST ------- Just to clarify the obvious: would this change be fine with the security team? I'd like to know _before_ we spend time on it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=229336 ------- Comment #8 from meissner@novell.com 2007-01-10 02:56 MST ------- in general this is a longstanding issue also on the GNOME/xscreensaver side. Some people want it, some people hate it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.

https://bugzilla.novell.com/show_bug.cgi?id=229336 ------- Comment #10 from coolo@novell.com 2007-01-12 06:18 MST ------- A "Try as root" button in the "Password failed" message box? I'm not sure this is easily possible. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.