Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'A vulnerability with the screensaver password lock' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
A vulnerability with the screensaver password lock
Authored by: pvera on Jun 04, '04 11:56:03AM

All you have to do is use fast user switching to go to the login window. The only problem with doing this is that iChat will disconnect. Once in the login window then nobody can log into your session, not even an administrator.

---
Pedro
-
http://pedrovera.com



[ Reply to This | # ]
A vulnerability with the screensaver password lock
Authored by: babbage on Jun 04, '04 01:09:05PM

You're right that this gets around the problem I raised, but then this brings up other issues. With fast user switching, your session is still active in memory, and there are ways of snooping around in someone else's active login session.

Both OSX and WinXP put in disclaimers telling you to only enable fast user switching in environments where users trust each other, i.e. it's okay to use home with your spouse and kids (or siblings & parents) but probably not okay for a corporate or university desktop machine.

The company I work for explicitly discourages anyone from using Fast User Switching on their desktop for exactly these reasons, and while I don't mind having it turned on at home where it's just me, my wife, and the cat, I agree that it's a good policy to forbid it at work.

---
--
DO NOT LEAVE IT IS NOT REAL



[ Reply to This | # ]
A vulnerability with the screensaver password lock
Authored by: yellow on Jun 04, '04 01:19:42PM

I cannot get this 'vulnerability' to manifest itself no matter how many different ways I try.. what's the deal?



[ Reply to This | # ]
But it's supposed to be multiuser!
Authored by: derrickbass on Jun 05, '04 03:21:30PM
The company I work for explicitly discourages anyone from using Fast User Switching on their desktop for exactly these reasons, and while I don't mind having it turned on at home where it's just me, my wife, and the cat, I agree that it's a good policy to forbid it at work.
That's really amusing to me, considering the origins of UNIX (of which OS X is a descendent). I mean, the whole idea was to try and provide a secure environment where multiple people could work on the same machine without interfering with each other. In fact, it wasn't until about 10 years ago that were a substantial number of companies that could afford to implement such a policy as you describe for their UNIX machines! Until then, there was a mainframe or workstation serving many (sometimes hundreds or even thousands) of users who had dumb terminals. Cheap UNIX boxes are pretty new inventions.

Anyway, you are correct that there are a few covert channels through which to snoop on other users. In addition, local privilege escalation security vulnerabilities sometimes pop up. But really, as long as you only let truly trusted (and careful) users have administrator privileges, I think the sorts of additional threats presented by having multiple users on the same machine are pretty minimal. (You should make sure the default UMASK is set so that new folders & files are not readable by others.)

[ Reply to This | # ]

But it's supposed to be multiuser!
Authored by: osxpounder on Jun 09, '04 02:33:12PM

You wrote, " (You should make sure the default UMASK is set so that new folders & files are not readable by others.)". I'm too much a *nix newbie to know how to do that, or what side effects that might produce. Would anyone please explain how to do it, and offer any warnings or advice about it?

---
--
osxpounder



[ Reply to This | # ]