Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 86145

Summary: xscreensaver problem?
Product: Gentoo Security Reporter: Jochen Maes (RETIRED) <sejo>
Component: AuditingAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---

Description Jochen Maes (RETIRED) gentoo-dev 2005-03-21 08:55:54 UTC 
When i'm logged in as user, screensaver pops up and locks the screen. 
When trying to unlock you can type in the username and the password. 
I just typed in the password off my root account under another username and i can login. 

this seems to me that it just doesn't really check the username & password, but just whether the pwd is in the /etc/passwd file, belonging to root or the user.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-03-21 15:15:48 UTC 
Jochen: I've confirmed this behaviour is by design, if you look at the pam_passwd_valid_p() subroutine in passwd-pam.c, xscreensaver attempts to authenticate the current user using pam_authenticate(), if that fails, the username is set to "root" and authentication is attempted again..around line ~277

/* If that didn't work, set the user to root, and try to authenticate again.*/

Marking RESOLVED.