Summary: | Xscreensaver/PAM: Root password can unlock XScreensaver-locked X session of ordinary user. | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Steph Gosling <steph> |
Component: | [OLD] Unspecified | Assignee: | Seemant Kulleen (RETIRED) <seemant> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | CC: | azarah, woodchip |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | x86 | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Steph Gosling
2003-01-05 15:18:25 UTC
this is expected behaviour. use xlock if you don't like it I am not 100% sure on this. We do use similar /etc/pam.d/system-auth as Redhat/Mandrake. Seemant, got a Redhat/Mandrake box with recent version of distro that you can test this on with similar xscreensaver/kscreensaver pam.d files ? The whole thing strikes me as odd. I re-read the manpage and Seemant was indeed correct: "...it will require you to type the password of the logged-in user (really, the person who ran xscreensaver), or the root password..." Now that seems pretty silly to me, but, if that's what the xscreensaver authors say, tehn so be it. Buuuut RH 7.3(xscreensaver 3.33-4, pam-0.75-32), Mdk 8.2(4.00-4mdk,0.75-20mdk), RH 8.0 (4.05-6,0.75-40) all behave differently (that is, the root pass cannot unlock a user-locked screen). All have identical pam.d/xscreensaver entries. A cursory look at the RH 8.0 pam.d/system-auth vs. my current system-auth says they're identical. Pam should be fairly the same as well as Redhat's, As I try to keep in sync with security/bugfixes. We do have one or two extra patches for segfaults, etc, but those they have not responded on. Could be that they patch xscreensaver/kscreensaver side. Ill have a look. Ill just recheck their patches to pam, but I did so about 3 weeks ago ... Just an interjection. I'd suggest the manpage is completely correct and that this is exactly the way it's supposed to work. Consider: 1) RH generally responds to their _business users_ requests. 2) Assume a companiy's standard security policy requires users be automatically forced to change their passwords monthly. Imagine how many users forget their new passwords after the screensaver comes on. ... While this functionality may not make sense in a SOHO or single user environment, it is an essential business requirement. Hope this helps. Right, it is intended behaviour. |