# Disturbing security bug in XScreenSaver or careless system administration?



## jrm@ (Jul 10, 2011)

I'm logged in as user *B* and run `% xscreensaver&xscreensaver-command -lock` (from a fluxbox key-combination).  When I hit a key or move the mouse, as expected, XScreenSaver's unlock dialog comes up with *B*'s username displayed.  I've noticed that if I enter either *B* or a specific user *A*'s password it will unlock the screen.

This is XScreenSaver 5.14 from ports with no options selected.

I created user *B* quite awhile ago so I can't remember exactly what I did, but I suspect I used some of user *A*'s configuration files as templates.  However, I'm unable to mimic this problem with any other type of authentication.

Any ideas?


----------



## jrm@ (Jul 10, 2011)

It turns out user *A*'s password was the same as root's password.  So to unlock the screen, you can enter the user's password or root's password.


----------



## graudeejs (Jul 10, 2011)

Yes, root can unlock screensaver.
If you don't want that you could use x11/xlockmore, with it you can disable such behavior


----------

