Bug#305600: [Pkg-shadow-devel] Bug#305600: login is vulnerable to local pishing attacks
Christian Perrier
Christian Perrier <bubulle@debian.org>, 305600@bugs.debian.org
Thu, 21 Apr 2005 18:18:18 +0200
>
> I know. I have not installed vlock, lockvt, xlock, away, (which besides accept
> passwords from stdin...) but unfortunately I cannot decline politely on login
> and gdm.
>
> > And I would add that, if your system allows random users to replace
> > login by such a program, then you have much other problems than
> > phising.
>
> "touch /etc/nologin" and "apt-get remove gcc" and ... is not possible.
> Unfortunately I'm a not a so good paid HiWi (20h/month) for a computer lab. We
> cannot afford a smartcard based authentication for all students.
Please explain me how, on a non compromised system, users can replace
the login program with something else.
> * Tomasz K?oczko <kloczek@zie.pg.gda.pl> [2005-04-21 03:48]:
> > PS. Next time try send this kind of report in 1 april ;-)
>
> Ever read "Surely you'r joking Mr. Feynman". Funniest story was about the
> crack of the uncrackable safes guarding the atomic bomb's most critical
> secrets. Not so funny if you're admin of a computer lab for physicists.
Do all the physicists in your lab have root access to the machine? If
so, then you have a problem.