[patch] make vncpasswd create ~/.vnc if it doesn't exist

SI Reasoning sczjd "at" yahoo.com
Tue, 04 Sep 2001 17:17:28 +0000


--- Tim Waugh <twaugh "at" redhat.com> wrote:
> On Tue, Sep 04, 2001 at 12:31:13PM +1000, Andrew van
> der Stock wrote:
> 

> > The mode of the .vnc directory should be 700 not,
> 755. There is no reason to
> > create this directory as 755, as this allows any
> user to discover the user's
> > VNC password.
> 
> Although the 'allows any user to discover the user's
> VNC password' bit
> is incorrect (see above), I agree that this
> directory ought to be more
> secure.  That requires a change to the vncserver
> script as well.
> 
The biggest problem I see is that the password script
can be easily deleted, then recreated... this would
allow an attacker to get access to the gui desktop for
a while (although it would be obvious someone has been
in the system). They could thereby compromise the
network or if the user that was cracked had enough
authority, they could create there own account and
replace the old password. This is way too easy!


=====
SI Reasoning
sczjd "at" yahoo.com
gnupg/pgp key id 035213BC

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------