Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Screen Lockers On X11 Cannot Be Secure

Posted by Soulskill on from the targeted-for-improvement dept.

jones_supa writes: One thing we all remember from Windows NT is the security feature requiring the user to press CTRL-ALT-DEL to unlock the workstation (this can still be enabled with a policy setting). The motivation was to make it impossible for other programs to mimic a lock screen, as they couldn't react to the special key combination. Martin Gräßlin from the KDE team takes a look at the lock screen security on X11. On a protocol level, X11 doesn't know anything of screen lockers. Also the X server doesn't know that the screen is locked as it doesn't understand the concept. This means the screen locker can only use the core functionality available to emulate screen locking. That in turn also means that any other client can do the same and prevent the screen locker from working (for example opening a context menu on any window prevents the screen locker from activating). That's quite a bummer: any process connected to the X server can block the screen locker, and even more it could fake your screen locker.

4 of 375 comments (clear)

  1. Re:Uh, okay? by Enry · · Score: 5, Funny

    What? I was assured that THIS was the year of the Linux Desktop!

  2. Already solved! by Qzukk · · Score: 5, Funny

    systemd-screenlockerd saves the day!

    Of course, it requires systemd-moused, systemd-keyboardd, systemd-windowd, systemd-X11d, and finally systemd-logind. Right now there's some compatibility issues that have been in the bug tracker for a year or so, so for best results you should also ditch KDE or gnome and go with systemd-windowd-managerd and systemd-menud. There's a few incompatible apps as well, if you have problems try using systemd-webbrowserd (requires systemd-networkd) and systemd-xtermd (requires systemd-fontd and systemd-shelld). Thunar works fine though for browsing files, as long as they're in the systemd folder.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  3. Re:So to cicumvent the screen locker... by ilsaloving · · Score: 4, Funny

    Reminds me of my university days...

    When someone walked away for an extended period without locking their terminal, one of us would sneak over and do a quick 'xhost +' and then wait for them to come back.

    Once they sit down and start working again, we would run 2 dozen copies of neko on their terminal, resulting in a mass of little animated kittens chasing their mouse cursor.

    Ah, the lost days of innocent fun.

  4. Re:So to cicumvent the screen locker... by nedlohs · · Score: 3, Funny

    We always just added

    echo "sleep 1" >>$HOME/.bash_profile

    to their .bash_profile (or the equivalent if they were using something other than bash).

    And might have sometimes done:

    cp /bin/sh /somewhere/world/write/readable/sh-[username]
    chmod 4755 /somewhere/world/write/readable/sh-[username]