Slashdot Mirror

← Back to Stories (view on slashdot.org)

Why Screen Lockers On X11 Cannot Be Secure

Posted by Soulskill on from the targeted-for-improvement dept.

jones_supa writes: One thing we all remember from Windows NT is the security feature requiring the user to press CTRL-ALT-DEL to unlock the workstation (this can still be enabled with a policy setting). The motivation was to make it impossible for other programs to mimic a lock screen, as they couldn't react to the special key combination. Martin Gräßlin from the KDE team takes a look at the lock screen security on X11. On a protocol level, X11 doesn't know anything of screen lockers. Also the X server doesn't know that the screen is locked as it doesn't understand the concept. This means the screen locker can only use the core functionality available to emulate screen locking. That in turn also means that any other client can do the same and prevent the screen locker from working (for example opening a context menu on any window prevents the screen locker from activating). That's quite a bummer: any process connected to the X server can block the screen locker, and even more it could fake your screen locker.

9 of 375 comments (clear)

  1. Umm..and telnet is insecure. by heavy_metal_drinker · · Score: 5, Insightful

    Flashback from the 90's: Telnet and X11 are inherently insecure - where's the news in that?

  2. So to cicumvent the screen locker... by Viol8 · · Score: 5, Insightful

    ... there has to be a trojan on the system or at least something connected to the X server over the network.

    Hmm. I think by this time your security is already out the window and a borked lock program is the least of your worries.

    1. Re:So to cicumvent the screen locker... by Qzukk · · Score: 3, Insightful

      This has been solved by everyone not following tutorials from the 80s asking them to use xhost + to allow everyone everywhere to connect to your display.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
  3. Uh, okay? by TWX · · Score: 2, Insightful

    I certainly get the technical explanation. Given that I don't think Deskop Linux will EVER be mainstream, this seems like something we've lived with for an incredibly long time, and doesn't affect very many people or systems.

    If someone wants to fix it, cool, but it's not really going to bother me very much if this behavior continues.

    --
    Do not look into laser with remaining eye.
  4. not the point by lister+king+of+smeg · · Score: 3, Insightful

    Isn't the point of a screen locker to keep a person from accessing my computer while I step away for a moment (to go to the bathroom or refill my coffee mug.) not to prevent programs from accessing things?

    --
    ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
    1. Re:not the point by jakimfett · · Score: 3, Insightful

      So...what you're saying is "people who aren't security conscious continue to be vulnerable to attacks that exploit their sloppiness and/or lack of attention"?

      Shocker.

      --
      Bits of code, random ramblings: jakimfett.com
  5. physical access by silfen · · Score: 1, Insightful

    Screen lockers protect against physical access; you're welcome to try and get around an X11 lock screen by tapping at the keyboard. Good luck.

    Comparing this to Windows is silly, because Windows doesn't have anything like the X11 protocol. On Windows, running code can disable the screen saver in other ways: patching or replacing DLLs, changing system configuration, etc. No difference from a security point of view.

  6. Linux rules the desktop, which is in your pocket by raymorris · · Score: 3, Insightful

    The year of the Linux desktop was several years ago. Most new computing devices run Linux, and fit in your pocket.

  7. Re:If it's accessing your X server, it's elevated by disambiguated · · Score: 3, Insightful

    The basic misunderstanding here is the idea that the screen lock in old X was designed for security, and usable as such; it was just a screensaver with a password

    What use is a screensaver with a password that isn't designed for security? Why is the password even there? So it looks secure? Lets just admit it was poorly designed from a security standpoint. That's fine, most stuff designed at that time was not secure. MS-DOS had no security at all. Pointing out that NT occasionally has some good ideas is not an indictment against Unix.