LinuxSA Mailing list archives

  From: Alan Kennington <akenning@topology.org>
  To  : LinuxSA <linuxsa@linuxsa.org.au>
  Date: Wed, 25 Jul 2001 07:52:56 +0930

Re: linux X windows screen lock useless?

On Tue, Jul 24, 2001 at 10:23:56PM +0930, Daryl Tester wrote:
> Alan Kennington wrote:
> 
> > Does this mean that the linux X window system screenlock is
> > completely useless?
> 
> You said it yourself - the X screenlock locks the X screen, yet
> you've managed to completely misinterpret that as a console lock.
> Ctrl-Alt-F1 doesn't bring up an X screen (although it could - I've
> run separate X servers on tty7 and tty8 before), it's a virtual
> console.  If you didn't mean to run those gettys on the console,
> then you'd best remove them from inittab.  And while you're at it,
> cut the wires to your reset switch and fill up the floppy disk
> drive with epoxy.  It could still be possible to physically
> circumvent this, though.
> 


Daryl,

That's not quite right.
I should have defined "useless" in my context.
My objective is just to deny any person passing by
direct access to:

1	several other machines that I'm logged in to
	from the locked machine
2	several other machines that I _could_ log in to
	from the locked machine by using ssh without
	a password
3	the account that the locked machine is currently
	running X window system from

Your comments are quite relevant to the third resource.
I.e. without putting the entire disk drives into a
high-security safe, a passer-by could get access to the
disk etc. etc., as discussed several times in the past
in linuxSA. But I just didn't want someone to be able
to get _easy_ access in an _undetectable_ manner to
my workstation account itself.

The more serious problem is the second item.
By hitting control-Z on the console-1 process, the user is
able to do two things: 
-	get easy access to all of my account files
	without being detected (that's item 3), and
-	use my ssh-agent-cached password to access
	all of my other machines on the net.
	(This is item 2.) This could be fairly difficult
	to detect, if done carefully, but it would
	certainly be disastrous.

So... no, I haven't interpreted the X screen lock as a 
console lock, but I am observing that the X screen lock does
not achieve anything like what any new user would
expect the X screen lock to do.

Throughout history (the last 30 years or so anyway), when
people have used a screen lock, they have expected that
they can safely walk away from the computer (or VT-100
terminal etc.) and come back to an uncompromised machine.
That's all that I was hoping for.
In fact, the X screen lock does no do this.
On an MS-windows machine, I believe there is no 
ctrl-alt-F1-like capability. Nor on a pure X-station
of the sort that was used around 1990-95.
Nor on the VT-100 family of monitors.

The "vlock" manual on my SuSE machine says:

----------------------------------------------------
       vlock works  for  console  sessions  primarily.   However,
       there  is  support for trying to lock non-console sessions
       as well, but that support has not been well tested.   
----------------------------------------------------

Well, I'll give that a go, thanks, Tim.
(I'll try it out on a machine that doesn't matter - not
on the workstations I'm sitting in front of right now.)

I'm looking for a method to lock both the X session and
the console session - preferably in one command.
From the looks of things, I'll have to:
-	first lock the X session
-	then hit ctrl-alt-F1 and control-Z (and bg?), and
-	then run vlock.
This is one of the things that MS-windows does better!

And one last comment...
I'm not worried about consoles ctrl-alt-Fn for n > 1.
The level of safety I'm after is obtained by
just leaving the login prompt for console 1 on the
monitor - which I turn off so as to hopefully capture
some DNA on the monitor button if anyone turns it on again.
I think most people would have to form a much more 
criminal intent to rip out my disk drive or the whole PC
than to just browse my computer accounts.
That's my theory anyway.

Cheers,
Alan Kennington.

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject