[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Does KDM need a password?

Dotan Cohen <dotancohen@gmail.com> writes:

> My laptop password-protects the harddrive, to unlock it I must enter a
> password before the BIOS starts the OS. Is it thus redundant to have a
> password at the KDM logon screen?

I don't know about you, but I occasionally leave my laptop unattended,
and while the KDE screen-saver locks it, it also offers the "switch
user" option.

Using that someone could trivially open a new KDM login prompt, hit
return, and have access to your identity.  Not much fun.

A lot of Unix security assumes that you prompt for authentication before
allowing access to a user account; while you can violate that you will
find that it does[1] open security holes by violating upstream
maintainers assumptions.


[1]  More precisely, "is extremely likely to without very, very careful
     configuration on your part, such that you are unlikely to always
     succeed in finding the holes before they are exposed."

Reply to: