Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 44323

Summary: Security flaw in KDE makes login to locked screen possible
Product: Gentoo Linux Reporter: Stefan Raspl <raspl>
Component: [OLD] KDEAssignee: Gentoo KDE team <kde>
Status: RESOLVED INVALID    
Severity: critical    
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Stefan Raspl 2004-03-10 22:30:28 UTC 
I'm running Gentoo stable, having KDE 3.2 installed now.
In KDE, configure a screensaver (I'm using the OpenGL ones, but not sure if that is essential) with password protection.
Lock the screen and let the screensaver kick in. Then press <CTRL> + <ALT> + <BACKSPACE>, which kills the X server. What happens next is that the server restarts, and the previous KDE session(!!!) comes up again instead of kdm!
This way, it is possible for any user to log into a locked KDE account.
Comment 1 Paul de Vrieze (RETIRED) gentoo-dev 2004-03-11 05:16:38 UTC 
Are you sure that you didn't explicitly configure kdm to have this behaviour? Kdm has an option to automatically login the previous user in case the X-server crashes. As is quite obvious this feature is unsafe.
Comment 2 Stefan Raspl 2004-03-11 05:32:59 UTC 
Will check...I know about this feature but usually do not select it. Stay tuned...
Comment 3 Stefan Raspl 2004-03-12 04:34:18 UTC 
Tried to verify this yesterday, but it didn't happen anymore!
When discovering this problem, I have verified multiple times that it does indeed happen...I did an 'emerge sync' inbetween, but that's about it. Also, kdm is _not_ configured to do any auto logins.
No idea what is going on here...