Hi,

I came across a nice xlock bug when i noticed i couldnt log in again as
user after i "locked" my windowmaker screen. Xlock (afaik) is suid by
default to read passwords from /etc/shadow. I removed most suidbits on my
Slackware 7.1 box. Also the suidbit on my xlock has been removed.

Problem:
Any user with physical access can get into the window manager screen by
simply pressing ENTER when xlock is not setuid root. With a default
Slackware install and also with a default xlockmore install there is no
file named .xlockrc created. After executing xlock and pressing ENTER
a empty DES string is placed in .xlockrc and can therefore be used as
'valid' login.

This works for all userlogins except root because root can be checked
with /etc/shadow. This also doesnt work when there is a correct (according
to /etc/shadow) DES string in $HOME/.xlockrc (This is explained somewhere
in the README file).

Fix: set suidbit on xlock ?!?!?! Or give all users who need physical
windowmanageraccess a correct .xlockrc file.

grtz,
Marco van Berkum