Fl_TeacherTool security alert notice

[Robert Arkiletian]

Security Notice:

I would like to notify everybody about a security issue that is
created in the Fl_TeacherTool installation procedure.

A security vulnerability exists if you enabled Monitor/Control by
following the instructions here:
http://www3.telus.net/public/robark/Fl_TeacherTool/installationk12ltsp.html#monitor
(instructions pasted below)

-----snip------
Edit the file /opt/ltsp/i386/etc/lts.conf and uncomment (i.e. remove the "#"):
X4_MODULE_02 = vnc
Become root:
su -
Make a password for the vnc-session:
/usr/bin/vncpasswd
Copy the password file into the ltsp-tree:
cp -a  /root/.vnc  /opt/ltsp/i386/root/
Log out of root session:
exit
Reboot your clients!
-----snip-------

Or (if you are running x11vnc on the client)

If you start x11vnc in  /opt/ltsp/i386/etc/rc.local
with a line like
x11vnc -display :6 -rfbauth /root/.vnc/passwd -forever -shared -loop &


Please be aware that anyone with some Linux knowledge could
potentially take control of, or monitor, a client computer.

If you do not feel comfortable with this situation, especially if the
teacher workstation is a client machine, then follow the simple work
around patch below.

******Work Around / Patch:******
Notice: this will disable monitor/control and snapshots in Fl_Teachertool.

Edit the file /opt/ltsp/i386/etc/lts.conf and *COMMENT*  the vnc module line
(i.e. INSERT a "#" at the beginning of the line):

# X4_MODULE_02 = vnc

OR (depending how you enabled the vnc server on the client)

Delete the x11vnc line in  /opt/ltsp/i386/etc/rc.local

reboot the client machines.

For good measure, delete your old vnc password files:
rm  /opt/ltsp/i386/root/.vnc/passwd
rm  /root/.vnc/passwd


-- 
Robert Arkiletian
Eric Hamber Secondary, Vancouver, Canada
Fl_TeacherTool http://www3.telus.net/public/robark/Fl_TeacherTool/
C++ GUI tutorial http://www3.telus.net/public/robark/