TUCoPS :: SGI :: irix5041.htm

Screen output snooping
29th Jan 2002 [SBWID-5041]

	Screen output snooping


	Irix O2


	In SGI Security Advisory 20020103-01-I

	SGI has been informed of a security problem specific  to  video  i/o  on
	SGI O2 systems. When the vcp Default Input is set to  \"Output  Video\",
	a remote user can log into the system, launch videoout and then  videoin
	and can then see what is happening on the screen of  the  remote  system
	(reading mail, etc...). This can be done regardless of xhosts  or  xauth
	settings on the remote system.


	You  can  work  around  the  problem  by   adding   the   following   to


	  # Set the permissions of /dev/mvp so only the console user has access


	  if [ -r /dev/mvp ]; then

	    chown $USER /dev/mvp

	    chmod 600 /dev/mvp



	Add the following to /var/X11/xdm/Xreset:


	  # Reset the permissions on /dev/mvp


	  if [ -r /dev/mvp ]; then

	    chown root /dev/mvp

	    chmod 666 /dev/mvp



	These modifications change the ownership of the mvp device when  a  user
	logs in and back out. When the device is owned  by  the  user  with  600
	permissions, nobody else is able to execute vcp, videoin,  or  videoout.
	Thus nobody can see what\'s on the console of the system.

	Patches are available from :

	http://support.sgi.com/irix/ and ftp://patches.sgi.com/


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH