[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#818118: marked as done (security-tracker: It's possible for any user to steal root console output)

Your message dated Tue, 15 Mar 2016 14:10:52 +0100
with message-id <20160315131052.GA18312@lorien.valinor.li>
and subject line Re: Bug#818118: security-tracker: It's possible for any user to steal root console output
has caused the Debian Bug report #818118,
regarding security-tracker: It's possible for any user to steal root console output
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
818118: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=818118
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: security-tracker
Severity: normal

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

   * What led up to the situation?
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   * What was the outcome of this action?

1. Open root console
2. apt-get any framebuffer grabbing utility (e.g. fbgrab)
3. switch to a graphical interface of any other user
4. run "fbgrab /path/whatever.png"
5. Now you've got a root console output, with possibly its secret information

   * What outcome did you expect instead?

This may sound ridiculous but I don't want regular users to be able to watch over another user consoles. Especially root console. You know, anyone on the computer can just launch a script that will grab the root console output continiously revealing everything the root was doing.

*** End of the template - remove these template lines ***
This may be hardware-specific, so in this case - I'm using AMD graphics card with "radeon" driver.


-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 3.16.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---
--- Begin Message --- 
Hi,

On Mon, Mar 14, 2016 at 02:08:06AM +0500, nomatter wrote:
> Package: security-tracker
> Severity: normal
> 
> Dear Maintainer,
> 
> *** Reporter, please consider answering these questions, where appropriate ***
> 
>    * What led up to the situation?
>    * What exactly did you do (or not do) that was effective (or
>      ineffective)?
>    * What was the outcome of this action?
> 
> 1. Open root console
> 2. apt-get any framebuffer grabbing utility (e.g. fbgrab)
> 3. switch to a graphical interface of any other user
> 4. run "fbgrab /path/whatever.png"
> 5. Now you've got a root console output, with possibly its secret information
> 
>    * What outcome did you expect instead?
> 
> This may sound ridiculous but I don't want regular users to be able
> to watch over another user consoles. Especially root console. You
> know, anyone on the computer can just launch a script that will grab
> the root console output continiously revealing everything the root
> was doing.
> 
> *** End of the template - remove these template lines ***
> This may be hardware-specific, so in this case - I'm using AMD
> graphics card with "radeon" driver.

This is not a bug in the security-tracker.

Regards,
Salvatore

--- End Message ---
Reply to: