Re: Security in GNOME

From: "Michael K. Johnson" <johnsonm redhat com>
To: gnome-list gnome org
Subject: Re: Security in GNOME
Date: Fri, 13 Aug 1999 10:27:13 -0400


James Henstridge writes:
>What I was talking about in my last message was the possibility of using
>gsu/consolehelper as a trojan horse for collecting passwords, rather than
>exploiting any buffer overflow or passing invalid data to the setuid part.
>
>If either of these programs conforms to the user's selected theme then
>someone who has compromised the user's account will be able to collect the
>passwords entered into either of these utilities.  They would then be able
>to gain root access later on with the normal su command.

They can do that without touching the theme -- if they have access to the
user's account, they can get the xauth cookie and sniff keystrokes easily.

michaelkjohnson

"Magazines all too frequently lead to books and should be regarded by the
 prudent as the heavy petting of literature."            -- Fran Lebowitz
 Linux Application Development     http://people.redhat.com/johnsonm/lad/

References:
- Re: Security in GNOME
  - From: James Henstridge

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]