'Re: seteuid() in kscreensaver'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: seteuid() in kscreensaver
From:       Christian Esken <c.esken () cityweb ! de>
Date:       1999-03-09 17:31:51
[Download RAW message or body]

Martin Jones schrieb:
> 
> Stephan Kulow wrote:
> >
> > Harri Porten wrote:
> > >
> > > Hi !
> > >
> > > I just continued my experiment to compile KDE on a machine running HP/UX.
> > > Everything's going fine so far except from some calls to seteuid() which
> > > isn't available everywhere.
> > > I already changed the one in kquickhelp to setuid() which is more
> > > appropriate anyway.
> > >
> > > But what about the ones in kscreensaver.cpp ? Is it safe to drop them or
> > > put a #ifdef HAVE_SETEUID around them now that kcheckpass is there ?
> > >
> > > Quite a few people have worked on main.cpp so I post this request here
> > > instead of filing a bug report.
> > >
> > As far as I know a replacement for seteuid exists, but I'm not sure.
> > But using kcheckpass is definitly a good idea. I would even go so far
> > to get rid of every password related code in klock and port kcheckpass
> > alone.
> 
> I would like to remove all password stuff from klock ASAP and rely
> on kcheckpass only for KDE 1.1.1.  Is there is anyone who knows a
> good reason not to?

Portability?

You cannot imagine the trouble to get kcheckpass ready for
KDE1.1 - and KDE1.1 still suffered from not being able to
support "Shadow+NIS".
Currently I have included the patches from SuSE, and I have
quite varying reports from testers: Some say: Jippie, it
finally works, others say, now even Shadow support is broken. :-(


In the long run we should definitely move over all logic into
kcheckpass.

Oh, are here security experts around?
Perhaps you know, kcheckpass is writing to the system log, in
case of an authentication failure (wrong password).
What do you think about not writing to the log, if the
password is the empty string. I had admin reports telling
me the system logs fill up with such messages originating
from users trying to switch off their (or others) "screen
saver" by pressing "Return".
I don't see a possible exploit out of this - anybody else?

 
  Christian Esken

-- 
Besuchen Sie uns auf der CeBit 99 Halle 3 Stand A12 
"Template Software ----- Enterprise Integration is our profession"
http://www.template.de

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic