Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1007724: xscreensaver: xscreensaver-auth says it should be installed setuid root
212 views
Skip to first unread message
Julian Gilbey
Mar 15, 2022, 2:00:04 PM3/15/22
to
Package: xscreensaver
Version: 6.02+dfsg1-2
Severity: normal
I observed the following:
euler:~ $ xscreensaver -no-splash
xscreensaver-auth: 17:48:30: OOM: /proc/7427/oom_score_adj: Permission denied
xscreensaver-auth: 17:48:30: To prevent the kernel from randomly unlocking
xscreensaver-auth: 17:48:30: your screen via the out-of-memory killer,
xscreensaver-auth: 17:48:30: "xscreensaver-auth" must be setuid root.
And:
euler:~ $ ls -l /usr/libexec/xscreensaver/xscreensaver-auth
-rwxr-xr-x 1 root root 308168 Jan 15 15:40 /usr/libexec/xscreensaver/xscreensaver-auth
So perhaps this should be setuid root?
Best wishes,
Julian
-- System Information:
Debian Release: bookworm/sid
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.16.0-4-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages xscreensaver depends on:
ii init-system-helpers 1.62
ii libatk1.0-0 2.36.0-3
ii libc6 2.33-7
ii libcrypt1 1:4.4.27-1.1
ii libglib2.0-0 2.70.4-1
ii libgtk2.0-0 2.24.33-2
ii libpam0g 1.4.0-11
ii libpango-1.0-0 1.50.4+ds-1
ii libsystemd0 250.3-2
ii libx11-6 2:1.7.2-2+b1
ii libxext6 2:1.3.4-1
ii libxft2 2.3.2-2
ii libxi6 2:1.8-1
ii libxinerama1 2:1.1.4-3
ii libxml2 2.9.13+dfsg-1
ii libxrandr2 2:1.5.2-1
ii libxt6 1:1.2.1-1
ii libxxf86vm1 1:1.1.4-1+b2
ii xscreensaver-data 6.02+dfsg1-2
Versions of packages xscreensaver recommends:
ii gsfonts-x11 0.28
ii libjpeg-turbo-progs 1:2.1.2-1
ii miscfiles [wordlist] 1.5+dfsg-4
ii perl 5.34.0-3
ii wamerican [wordlist] 2020.12.07-2
ii wbritish [wordlist] 2020.12.07-2
ii wbritish-huge [wordlist] 2020.12.07-2
ii wbritish-large [wordlist] 2020.12.07-2
ii wbritish-small [wordlist] 2020.12.07-2
ii xfonts-100dpi 1:1.0.4+nmu1.1
Versions of packages xscreensaver suggests:
ii elinks [www-browser] 0.13.2-1+b3
ii epiphany-browser [www-browser] 41.3-2
ii firefox [www-browser] 89.0.2-2
ii fortune-mod [fortune] 1:1.99.1-7.1
pn gdm3 | kdm-gdmcompat <none>
ii google-chrome-stable [www-browser] 99.0.4844.51-1
ii links [www-browser] 2.25-1
ii links2 [www-browser] 2.25-1
ii lynx [www-browser] 2.9.0dev.10-1
pn qcam | streamer <none>
ii w3m [www-browser] 0.5.3+git20210102-6
ii xdaliclock 2.44+debian-2
ii xfishtank 2.5-1+b1
ii xscreensaver-data-extra 6.02+dfsg1-2
ii xscreensaver-gl 6.02+dfsg1-2
ii xscreensaver-gl-extra 6.02+dfsg1-2
-- no debconf information
Version: 6.02+dfsg1-2
Severity: normal
I observed the following:
euler:~ $ xscreensaver -no-splash
xscreensaver-auth: 17:48:30: OOM: /proc/7427/oom_score_adj: Permission denied
xscreensaver-auth: 17:48:30: To prevent the kernel from randomly unlocking
xscreensaver-auth: 17:48:30: your screen via the out-of-memory killer,
xscreensaver-auth: 17:48:30: "xscreensaver-auth" must be setuid root.
And:
euler:~ $ ls -l /usr/libexec/xscreensaver/xscreensaver-auth
-rwxr-xr-x 1 root root 308168 Jan 15 15:40 /usr/libexec/xscreensaver/xscreensaver-auth
So perhaps this should be setuid root?
Best wishes,
Julian
-- System Information:
Debian Release: bookworm/sid
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.16.0-4-amd64 (SMP w/4 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages xscreensaver depends on:
ii init-system-helpers 1.62
ii libatk1.0-0 2.36.0-3
ii libc6 2.33-7
ii libcrypt1 1:4.4.27-1.1
ii libglib2.0-0 2.70.4-1
ii libgtk2.0-0 2.24.33-2
ii libpam0g 1.4.0-11
ii libpango-1.0-0 1.50.4+ds-1
ii libsystemd0 250.3-2
ii libx11-6 2:1.7.2-2+b1
ii libxext6 2:1.3.4-1
ii libxft2 2.3.2-2
ii libxi6 2:1.8-1
ii libxinerama1 2:1.1.4-3
ii libxml2 2.9.13+dfsg-1
ii libxrandr2 2:1.5.2-1
ii libxt6 1:1.2.1-1
ii libxxf86vm1 1:1.1.4-1+b2
ii xscreensaver-data 6.02+dfsg1-2
Versions of packages xscreensaver recommends:
ii gsfonts-x11 0.28
ii libjpeg-turbo-progs 1:2.1.2-1
ii miscfiles [wordlist] 1.5+dfsg-4
ii perl 5.34.0-3
ii wamerican [wordlist] 2020.12.07-2
ii wbritish [wordlist] 2020.12.07-2
ii wbritish-huge [wordlist] 2020.12.07-2
ii wbritish-large [wordlist] 2020.12.07-2
ii wbritish-small [wordlist] 2020.12.07-2
ii xfonts-100dpi 1:1.0.4+nmu1.1
Versions of packages xscreensaver suggests:
ii elinks [www-browser] 0.13.2-1+b3
ii epiphany-browser [www-browser] 41.3-2
ii firefox [www-browser] 89.0.2-2
ii fortune-mod [fortune] 1:1.99.1-7.1
pn gdm3 | kdm-gdmcompat <none>
ii google-chrome-stable [www-browser] 99.0.4844.51-1
ii links [www-browser] 2.25-1
ii links2 [www-browser] 2.25-1
ii lynx [www-browser] 2.9.0dev.10-1
pn qcam | streamer <none>
ii w3m [www-browser] 0.5.3+git20210102-6
ii xdaliclock 2.44+debian-2
ii xfishtank 2.5-1+b1
ii xscreensaver-data-extra 6.02+dfsg1-2
ii xscreensaver-gl 6.02+dfsg1-2
ii xscreensaver-gl-extra 6.02+dfsg1-2
-- no debconf information
Tormod Volden
Mar 20, 2022, 6:10:03 PM3/20/22
to
On Tue, Mar 15, 2022 at 6:57 PM Julian Gilbey wrote:
> euler:~ $ xscreensaver -no-splash
> xscreensaver-auth: 17:48:30: OOM: /proc/7427/oom_score_adj: Permission denied
> xscreensaver-auth: 17:48:30: To prevent the kernel from randomly unlocking
> xscreensaver-auth: 17:48:30: your screen via the out-of-memory killer,
> xscreensaver-auth: 17:48:30: "xscreensaver-auth" must be setuid root.
>
> And:
>
> euler:~ $ ls -l /usr/libexec/xscreensaver/xscreensaver-auth
> -rwxr-xr-x 1 root root 308168 Jan 15 15:40 /usr/libexec/xscreensaver/xscreensaver-auth
>
> So perhaps this should be setuid root?
Thanks for the report. I guess this is something we'll leave to the
> euler:~ $ xscreensaver -no-splash
> xscreensaver-auth: 17:48:30: OOM: /proc/7427/oom_score_adj: Permission denied
> xscreensaver-auth: 17:48:30: To prevent the kernel from randomly unlocking
> xscreensaver-auth: 17:48:30: your screen via the out-of-memory killer,
> xscreensaver-auth: 17:48:30: "xscreensaver-auth" must be setuid root.
>
> And:
>
> euler:~ $ ls -l /usr/libexec/xscreensaver/xscreensaver-auth
> -rwxr-xr-x 1 root root 308168 Jan 15 15:40 /usr/libexec/xscreensaver/xscreensaver-auth
>
> So perhaps this should be setuid root?
local administrator, to consider whether the risk of random unlocking
is worse than another setuid executable. xscreensaver is quite safe
with the recent split-out of xscreensaver-auth though.
Best regards,
Tormod
Jamie Zawinski
Mar 20, 2022, 8:30:03 PM3/20/22
to
There is no debate about this. It is insecure and irresponsible for xscreensaver-auth to *not* be setuid root.
Install it setuid root, as it was designed to be, and as "make install" does by default.
Install it setuid root, as it was designed to be, and as "make install" does by default.
VA
Mar 22, 2022, 6:20:03 AM3/22/22
to
severity 1007724 serious
thanks
Given that due to this bug, xscreensaver does not lock at all the screen
or even run, then the package does not work at all in the current state,
and worse, it prevents locking, its main security feature.
thanks
Given that due to this bug, xscreensaver does not lock at all the screen
or even run, then the package does not work at all in the current state,
and worse, it prevents locking, its main security feature.
Tormod Volden
Mar 23, 2022, 9:40:03 AM3/23/22
to
VA, please provide a tested patch against our VCS
https://salsa.debian.org/debian/xscreensaver
thanks
https://salsa.debian.org/debian/xscreensaver
thanks
0 new messages