Disturbing security bug in XScreenSaver or careless system administration?

[jrm@]

I'm logged in as user B and run % xscreensaver&xscreensaver-command -lock (from a fluxbox key-combination). When I hit a key or move the mouse, as expected, XScreenSaver's unlock dialog comes up with B's username displayed. I've noticed that if I enter either B or a specific user A's password it will unlock the screen.

This is XScreenSaver 5.14 from ports with no options selected.

I created user B quite awhile ago so I can't remember exactly what I did, but I suspect I used some of user A's configuration files as templates. However, I'm unable to mimic this problem with any other type of authentication.

Any ideas?

 

[jrm@]

It turns out user A's password was the same as root's password. So to unlock the screen, you can enter the user's password or root's password.

 

[graudeejs]

Yes, root can unlock screensaver.
If you don't want that you could use x11/xlockmore, with it you can disable such behavior