[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: seteuid() in kscreensaver
From:       "Rik Hemsley" <rikkus () postmaster ! co ! uk>
Date:       1999-03-10 0:52:23
[Download RAW message or body]

> Oh, are here security experts around?
> Perhaps you know, kcheckpass is writing to the system log, in
> case of an authentication failure (wrong password).
> What do you think about not writing to the log, if the
> password is the empty string. I had admin reports telling
> me the system logs fill up with such messages originating
> from users trying to switch off their (or others) "screen
> saver" by pressing "Return".
> I don't see a possible exploit out of this - anybody else?


Finally a thread I understand - all this coding guff is massacring my grey
cells ;)

I have certainly never heard of anyone trying to break things by entering a
blank password. It just wouldn't work anyway.

I would say that I consider a login attempt that didn't supply a password to
not actually be a login event. I think some systems ignore this anyway as on
certain terminals you naturally press enter a couple of times when you sit
down to make sure it's listening to you.

So: It's not a failed login, it's not counted as a login at all IMO.

Cheers,
Rik

[prev in list] [next in list] [prev in thread] [next in thread]