User: Password:
Subscribe / Log in / New account

Secure keyboard input

Secure keyboard input

Posted Nov 26, 2009 17:40 UTC (Thu) by mjg59 (subscriber, #23239)
In reply to: Secure keyboard input by jmorris42
Parent article: Fedora 12 and unprivileged package installation

So the attacker makes sure that your xterm is thunked with an LD_PRELOADed library that reports a successful grab without actually performing one. Xterm continues along its way and your password still gets grabbed. Xterm's grabs are intended to secure against hostile *X* applications that may be running on machines out of your control. That's simply not the common threat model any more, and instead it just results in people thinking that they're secure when they're not.

(Heck. The attacker could ignore X altogether and just thunk read and write in xterm and read everything going over the pty. You'd end up with a secure channel between the server and the xterm, which would win you absolutely nothing overall)

(Log in to post comments)

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds