On Mon, 21 Aug 2000, Thomas Biege wrote:
xlockmore is normally installed as an unprivileged program in Debian 2.2 (potato) and is not vulnerable in that configuration. xlockmore may be
In SuSE 6.3 xlock is sgid shadow. Does this mean it has the same vulnerability? Did I miss a security announcement? I did not see anything in the suse-update area under xap1.
AFAIK, xlock dropps SGID shadow before the bug could be exploited.
This is good. There is always the next bug to find. Anyone know how Debian manage the trick of making it unprivileged? xlock manpage has one option which sounds pretty good - and that is to have an unprivileged crypt'd lock password. Oh dear - another password to remember. I notice that SuSE also has package xscrns (xscreensaver) which is suid root. I guess that, as I have not heard of anyone audit that for security, I had best delete that altogether. Before anyone says it, I suppose it is time for me to audit suid/sgid across my system. dproc