LWN: Comments on "X.org screensaver bypass found"

whew

etrusco — Fri, 27 Jan 2012 01:20:38 +0000

I wonder who would use a bleeding edge distro while needing a stable system with shared physical access?

X.org screensaver bypass sponsored by Canonical

daniels — Thu, 26 Jan 2012 22:26:01 +0000

Thanks for the random drive-by abuse, but I haven't been a part of or contributed anything to Ubuntu since I left Canonical over six years ago.

X.org screensaver bypass found

gvy — Thu, 26 Jan 2012 22:19:15 +0000

You must have had bothered to mark the change clearly in the code commit *you* made -- and must have had communicated that to the others working on it as well.

It's not "oh well". It's why six-month-craze is counterproductive.

#include <stdflame/ubuntu>

X.org screensaver bypass found

gvy — Thu, 26 Jan 2012 22:13:46 +0000

This blogpost has some discussion of that kind of fun...

X.org screensaver bypass sponsored by Canonical

gvy — Thu, 26 Jan 2012 22:06:22 +0000

Yes, Daniel Stone of Ubuntu took care of screwing up for the others. Thank you, Dan.

X.org screensaver bypass found

sebas — Mon, 23 Jan 2012 10:07:23 +0000

That's actually two issues TuxOnIce solved quite nicely: smarter and faster preparation of the hibernate process, and showing progress while doing it (and also being able to cancel it while it's hibernating).

I haven't tried it in a while though. It used to be very reliable for me, but nowadays, I'm just using S3.

Fedora 16 fix already rushed to stable.

gilboa — Mon, 23 Jan 2012 07:21:15 +0000

As the title suggests.
Quick yum update + login/logout is very-much-advised.

- Gilboa

X.org screensaver bypass found

zzxtty — Fri, 20 Jan 2012 13:41:04 +0000

You want to remove both KPMU and KPDV.

X.org screensaver bypass found

v13 — Fri, 20 Jan 2012 12:35:36 +0000

Quick hack:

xkbcomp :0 - > /tmp/koko.map

vi /tmp/koko.map

... remove the Multiply thingy that causes this ...

xkbcomp /tmp/koko.map :0

X.org screensaver bypass found

Pawlerson — Fri, 20 Jan 2012 09:19:43 +0000

According to Phoronix you're safe with the current Kubuntu/Ubuntu. :)

X.org screensaver bypass found

rvfh — Fri, 20 Jan 2012 08:49:29 +0000

Does not seem to affect my Kubuntu 11.10 machine... or am I missing something?
Ctrl Alt (keypad)* correct? Does nothing on my locked machine.

X.org screensaver bypass found

whot — Fri, 20 Jan 2012 03:44:39 +0000

fwiw, I've posted a summary of the issue, its history and its effects, here:

http://who-t.blogspot.com/2012/01/xkb-breaking-grabs-cve-...

X.org screensaver bypass found

Kit — Fri, 20 Jan 2012 02:05:39 +0000

I don't believe I'm using TuxOnIce, it doesn't appear that's what Fedora uses based on a quick search. It spends the time on preallocating space for the image (the exact wording is slightly different)... it would be nice if it at least had some sort of progress indicator. The part where it's actually dumping the memory to disk doesn't take close to as long.

X.org screensaver bypass found

nix — Fri, 20 Jan 2012 01:14:48 +0000

On Linux, I only use hibernate, because suspend still isn't reliable for me... unfortunately, this takes upwards of 10 minutes to shut the machine down

That sounds like a bug. When you say 'hibernate', do you mean the hibernate script that is part of TuxOnIce? If so, you might want to mention it on one of the tuxonice lists, and see if there's anything that can be done to speed things up. My 12Gb two-disk machine takes under a minute to suspend.

X.org screensaver bypass found

daniels — Fri, 20 Jan 2012 00:57:35 +0000

This is now fixed with xkeyboard-config 2.5: http://listserv.bat.ru/xkb/Message/8375.html

X.org screensaver bypass found

mgedmin — Thu, 19 Jan 2012 22:43:34 +0000

You mean this version of hw/xfree86/dixmods/xkbPrivate.c doesn't handle Private(type=0x86, data="clsgrab"), so there's no harm of that action existing in my xkb config? Now it makes sense to me.

X.org screensaver bypass found

Kit — Thu, 19 Jan 2012 22:26:25 +0000

> Do people still run screensavers? That's pretty irresponsible.
> The monitor should be turned off, and most of the box too.

I don't run a screen saver on any machine to 'save the screen' or 'provide pretty pictures when I'm not there'.

On Windows, my screen saver starts up (blank) at the same time as the system is set to shut off the monitor. Attempting to wake up the system after this time results in being presented with the lock screen, which runs in a different desktop context than the desktop itself. I'll suspend the system if I'm going to be away for more than a couple minutes and don't have anything running that'll be aversely affected by being paused (i.e. no active network operations).

On OSX, the situation is largely the same. Lock screen presented upon resume, and set to suspend very aggressively (a suspend/resume cycle is incredibly short).

On Linux, I only use hibernate, because suspend still isn't reliable for me... unfortunately, this takes upwards of 10 minutes to shut the machine down. When it comes back up, it has the screen saver running as a lock screen, to require the user to enter a password before they can actually use the machine. I really hate using the screen saver as the screen "lock", it's very sluggish to start and even worse to bring up the password box (if it's been idle for at least a few minutes, /10 seconds/ to show the box isn't unusual). It's also hard to tell when the resume has finished with the blank screen saver (I can't tell if it's showing the screen saver or if it's still resuming), so I might end up having to actually install and use a screen saver that actually shows something. Certainly the worst of the three for me.

X.org screensaver bypass found

pabs — Thu, 19 Jan 2012 22:23:54 +0000

Thats because this screen combo appears to kill gnome-screensaver at least. One would hope such screenlockers detect a stuff going away and re-aquire grabs etc.

X.org screensaver bypass found

nteon — Thu, 19 Jan 2012 21:29:10 +0000

this affects the 'lock screen' function in gnome-shell on my fedora 16 box, so its not just screensavers

X.org screensaver bypass found

thyrsus — Thu, 19 Jan 2012 21:00:16 +0000

This is present in Fedora 16. In my experience, after using it once, the screen lock refuses to start again until I log out and back in.

whew

dskoll — Thu, 19 Jan 2012 20:06:39 +0000

Running Debian Squeeze and X.Org 1.7.7. Glad not to be on bleeding-edge :)

X.org screensaver bypass found

daniels — Thu, 19 Jan 2012 19:38:43 +0000

It's meant to be a debugging aid for app and toolkit developers, who need to break stuck grabs from time to time. It wasn't meant to be enabled by default, but that apparently got lost in a miscommunication between myself and the keyboard layout maintainer, and I didn't think to double-check afterwards. Oh well.

http://lists.x.org/archives/xorg-devel/attachments/201201... is the recommended patch.

X.org screensaver bypass found

__alex — Thu, 19 Jan 2012 19:36:11 +0000

Unless like me you use the xorg-edgers ppa in which case you definitely are vulnerable :(

X.org screensaver bypass found

theophrastus — Thu, 19 Jan 2012 18:57:10 +0000

sweet_zombie_jesus! (and here all this time i was typing in my password to get back in like a chump [wink]) can someone explain what proper function this 'feature' was intended to serve ...debugging backdoor? [looks down at keyboard and wonders about all the other possible ctrl-alt-strange_keys]

X.org screensaver bypass found

zwenna — Thu, 19 Jan 2012 18:43:17 +0000

Ubuntu 11.10 still has xserver 1.10, so is not vulnerable.

X.org screensaver bypass found

mgedmin — Thu, 19 Jan 2012 18:30:50 +0000

Hm, I see the XF86ClearGrab binding is active in my 'xkbcomp :0 -' output on Ubuntu 11.10 (both the mapping and the interpret bits), and I can see XF86ClearGrab show up in xev output, but when I press it when the screensaver is active, nothing happens. Huh?

X.org screensaver bypass found

prometheanfire — Thu, 19 Jan 2012 18:24:23 +0000

Bunch of people use this at work,

Already changed their background and put a new screensaver up (with a custom message). Who said bugs can't be fun :D

X.org screensaver bypass found

ncm — Thu, 19 Jan 2012 17:57:49 +0000

Do people still run screensavers? That's pretty irresponsible. The monitor should be turned off, and most of the box too.

But this is really about automatic time-out screen locking, and authentication. We're still at a very primitive stage there. Arguably the machine should give you library-PC features with no authentication, and then enable more features as it gains confidence that it's really you. Passwords would be just a way to speed that up. To recognize keyboard timing signatures would give enough security, by itself, for almost everything.

Never really worked that well

epa — Thu, 19 Jan 2012 17:29:51 +0000

The X screen locking has always been a bit flaky. On a heavily loaded machine, it might take several seconds between invoking 'xlock' and the screen becoming locked - the screen is not locked while the fancy graphics are set up.

X.org screensaver bypass found

Kit — Thu, 19 Jan 2012 17:03:43 +0000

Wow, now that's pretty unsettling.

Simply throwing a window up over the other windows has bothered me for several years (ever since the first time I saw GAIM open a window over a locked screen saver!). It seemed like a hack just to have something (sort of like the login screen on Windows 9x, where clicking 'cancel' would log you in anyways!).

Obviously a determined attacker with physical access will be able to eventually bypass any protection... but one would at least hope that the measures in place would be enough to defeat the casual walker-byer!

LWN: Comments on "X.org screensaver bypass found"

*whew*

X.org screensaver bypass sponsored by Canonical

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass sponsored by Canonical

X.org screensaver bypass found

Fedora 16 fix already rushed to stable.

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass found

*whew*

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass found

X.org screensaver bypass found

Never really worked that well

X.org screensaver bypass found

whew

whew