On Thu, Dec 21, 2006 at 07:37:27PM +0100, [EMAIL PROTECTED] wrote: > Steve Langasek wrote: > >If the user's account is local, nss should be resolving it before ever > >touching LDAP. If it's remote, provisions should be in place to ensure the > >LDAP server's availability. Either way, I only see this security bug > >happening on a misconfigured system.
> Why should there be provisions in place to ensure the LDAP server's > availability? Because if you're using nss_ldap, a lot more goes wrong than your X session remaining unlocked when the LDAP server disappears; local mail delivery (if any), cronjobs, and many other processes will fail, and things as simple as a directory listing will hang for long periods of time while trying to reach the LDAP server. > For one thing, the LDAP server can come back any time if > it is just a network timeout. The other point to consider is security: > If the user wants to have his data protected, he does mean it. From a > design perspective it is not a good idea to say, "I will protect your > data whenever I feel like it, i.e. I have no objections". Sorry, but by your own admission you're expecting xscreensaver to lock your session *after a timeout*. If you wanted your session to be secured, you would lock it when you knew you were going to be leaving it unattended, in which case you would notice it had failed to lock. Otherwise, you've already given any attacker a window of opportunity while your machine has been left unattended -- the fact that the window is potentially larger due to this bug is not release-critical. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
