https://bugzilla.novell.com/show_bug.cgi?id=253402 Summary: root password use accepted for normal user to unlock screensaver Product: SUSE Linux 10.1 Version: Final Platform: Other OS/Version: SuSE Linux 10.1 Status: NEW Severity: Major Priority: P5 - None Component: GNOME AssignedTo: bnc-team-gnome@forge.provo.novell.com ReportedBy: s.handgraaf@xs4all.nl QAContact: qa@suse.de BUG reporting: The gnome screensaver allows root password use by normal users to unlock the screensaver. I don't know if this is on purpose but imho this is unwanted behaviour under current gnome screensaver conditions and I would qualify this as a security vulnerability. A normal user can lock the screen with the gnome screensaver. Either on idle timer of manually. The screen is locked under the user account and name. User 'alice' would see her own name in the unlock screen and is there asked for her password. However, while she can unlock the screen with her own password, currently she is also allowed to try to use the password of the root user to unlock the screen. Although many modern systems give the opportunity to unlock a screen by the user or an administrator, this is not implemented in Gnome by default. User alice does not even have to switch users to try the root password to unlock the screen. Also the user switching function does not have to be activated to be able to try or use the root password to unlock the screen. Additional detail: The gnome screensaver can't even be used by root to lock the screen by design. According to the official gnome screensaver faq this is by design and for security reasons and users are adviced to only use su or sudo. But, while the root user is not allowed to use any authentication under its own account, normal users are now granted two password authentication openings under their own name to unlock the gnome screensaver. Even without the need of su or sudo use. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.