COMMAND

	Screen output snooping

SYSTEMS AFFECTED

	Irix O2

PROBLEM

	In SGI Security Advisory 20020103-01-I
	

	SGI has been informed of a security problem specific  to  video  i/o  on
	SGI O2 systems. When the vcp Default Input is set to  \"Output  Video\",
	a remote user can log into the system, launch videoout and then  videoin
	and can then see what is happening on the screen of  the  remote  system
	(reading mail, etc...). This can be done regardless of xhosts  or  xauth
	settings on the remote system.

SOLUTION

	You  can  work  around  the  problem  by   adding   the   following   to
	/var/X11/xdm/Xstartup:
	

	  #

	  # Set the permissions of /dev/mvp so only the console user has access

	  #

	  if [ -r /dev/mvp ]; then

	    chown $USER /dev/mvp

	    chmod 600 /dev/mvp

	  fi

	

	Add the following to /var/X11/xdm/Xreset:
	

	  #

	  # Reset the permissions on /dev/mvp

	  #

	  if [ -r /dev/mvp ]; then

	    chown root /dev/mvp

	    chmod 666 /dev/mvp

	  fi

	

	These modifications change the ownership of the mvp device when  a  user
	logs in and back out. When the device is owned  by  the  user  with  600
	permissions, nobody else is able to execute vcp, videoin,  or  videoout.
	Thus nobody can see what\'s on the console of the system.
	

	Patches are available from :
	

	http://support.sgi.com/irix/ and ftp://patches.sgi.com/