Comment 4 for bug 310126
Revision history for this message
| Anders Kaseorg (andersk) wrote Re: failsafeXinit: “Open a terminal” option does not ask for a password! | #4 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Yes, the “Open a terminal” attack is gone now, but there are still other attacks that I mentioned above. The “Troubleshoot the error” option leads to a menu including three options that each launch gedit as root (“Review the xserver log file”, “Review the startup errors”, “Edit configuration file”). gedit can be used to edit the /etc/passwd file, for example, and compromise the system almost as quickly. I’ll retitle the bug to make the scope of the problem clearer.
These vulnerabilities are present in both Intrepid and Jaunty.