Bug#564079: Is this really a screensaver issue?
Nico Golde
nion at debian.org
Tue Jan 26 14:25:33 UTC 2010
Hey,
* Bastian Blank <waldi at debian.org> [2010-01-26 14:44]:
> On Tue, Jan 26, 2010 at 11:21:56AM +0100, Josselin Mouette wrote:
> > Le samedi 23 janvier 2010 à 11:37 +0100, Guido Günther a écrit :
> > > Should this really be handled in the screensaver? The user can also kill
> > > other processes during boot like accounting daemons and therefore
> > > compromise security. The only "fix" is to disable this feature.
> > I fully concur. Such a ???feature??? should be disabled by default, and this
> > has to be done in the kernel packages.
>
> The OOM killer can always be forced with normal processes as long as
> over-commitment is enabled. So it is never save to add security measures
> within processes that can be killed seperately.
Of course but this requires either a bug in another application that can be
used remotely or access to the system e.g. via an own account.
> > I???d appreciate if we could have some input from the kernel maintainers.
>
> Someone with access to the console have several attack vectors
> available.
True, but this one is trivial to exploit and is also fairly easy to prevent so
why stick with it?
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnome-maintainers/attachments/20100126/b5a9a20c/attachment.pgp>
More information about the pkg-gnome-maintainers
mailing list