[SOLVED] Lock screen without display manager, can still change tty

MkFly · 2010-07-19 19:57:50

I'm using Xfce without a display manager. I just login from tty1 and startx.

When I lock the screen with gnome-screensaver -l or xlock, I can still change tty with Ctrl+Alt+(F1-F8), so anybody could just switch to tty1, kill X and have access to my account and machine.

Anybody know how I can work around this without installing a display manager?

Last edited by MkFly (2010-07-21 16:14:20)

oliver · 2010-07-19 20:30:28

I don't know whether this is opening up other issues, but I have the following block in my .bashrc

if [ -z "$DISPLAY" ] && [ $(tty)  == /dev/tty1 ] ; then
        startx & > /dev/null 2>&1 
fi

This still gives me the problem you have where someone could hit ctrl-alt-F1, then ctrl-c out of my startx session and have a shell... but if you added something to the startx line, I think it would do what you want. Something like:

if [ -z "$DISPLAY" ] && [ $(tty)  == /dev/tty1 ] ; then
        startx & > /dev/null 2>&1 && sleep 10 && exit
fi

so after logging into X, it sleeps for 10 seconds and then logs out (on tty1) leaving you logged into X on tty7.

There's probably a more graceful way to do it, but I just tested on my box and it worked as expected

Last edited by oliver (2010-07-20 00:42:01)

ber_t · 2010-07-19 21:27:03

If you want to use X while beeing logged in a console, you might as well try vlock.

Spot · 2010-07-19 22:03:44

Or try "xscreensaver"

MkFly · 2010-07-20 04:18:03

oliver wrote:

so after logging into X, it sleeps for 10 seconds and then logs out (on tty1) leaving you logged into X on tty7.

Hmm. That does work, but sometimes I actually *want* to be logged in to other tty consoles. I guess really what I'm after is a way to disable tty switching when the screen is locked via xlock, gnome-screensaver, xscreensaver, etc.

ber_t wrote:

If you want to use X while beeing logged in a console, you might as well try vlock.

Double hmm. I might be able to make something happen with that, thanks.

Spot wrote:

Or try "xscreensaver"

xscreensaver still lets you switch between virtual consoles when locked, I should have mentioned that one too.

loafer · 2010-07-20 05:50:04

MkFly wrote:

xscreensaver still lets you switch between virtual consoles when locked, I should have mentioned that one too.

According to the FAQs xscreensaver can't prevent this:

http://www.jwz.org/xscreensaver/faq.html

MkFly · 2010-07-20 16:20:13

loafer wrote:

According to the FAQs xscreensaver can't prevent this:

Thanks for that:

http://www.jwz.org/xscreensaver/faq.html#no-ctl-alt-bs
Likewise, it's not possible for xscreensaver to prevent virtual-terminal switching (Ctrl-Alt-F1, etc), so don't leave yourself logged in on a non-X console and expect xscreensaver to be able to protect that console too...

I think vlock will work nicely if I use it to lock non-X consoles and then use gnome-screensaver to lock my X session. We'll see how that goes.

Thanks guys.

Leonid.I · 2010-07-20 17:06:52

MkFly wrote:

xscreensaver still lets you switch between virtual consoles when locked, I should have mentioned that one too.

AFAIR I don't have this problem on my Arch machine, but do have it on Ubuntu. In Ubuntu I have kdm+gnome, so apparently, it's not a DM problem. I can check up on my Arch system, when I get back to it. In the mean time, can you post your .xinitrc?

MkFly · 2010-07-20 17:34:32

Leonid.I wrote:

In the mean time, can you post your .xinitrc?

Oh, mine is pretty simple:

#!/bin/sh
exec ck-launch-session startxfce4

Leonid.I · 2010-07-20 18:51:51

... and you start xscreensaver as an autostart in XFCE, right? Try putting

xscreensaver -no-splash &

before exec in .xinitrc -- see if this helps.

EDIT: Also, try using xfce4-session instead of startxfce4. The latter is just a script, which calls the former, but there may be some tricks with permissions in there...

EDIT2: If you don't have a DM, where do you set up your xhost permissions?

Last edited by Leonid.I (2010-07-20 18:55:26)

MkFly · 2010-07-20 19:20:43

Leonid.I wrote:

... and you start xscreensaver as an autostart in XFCE, right?

Normally, yes.

Leonid.I wrote:

Try putting
xscreensaver -no-splash &
before exec in .xinitrc -- see if this helps.
EDIT: Also, try using xfce4-session instead of startxfce4. The latter is just a script, which calls the former, but there may be some tricks with permissions in there...

Just tried all that, same outcome.

Leonid.I wrote:

EDIT2: If you don't have a DM, where do you set up your xhost permissions?

Honestly, I've never set up such permissions. Reading online, I see it's used to allow or deny connections to the X Server running on my machine? Is that right? Where would that be applicable, and how does it differ from say ... allowing X11 Forwarding over an SSH connection?

ber_t · 2010-07-21 10:12:14

MkFly wrote:

I think vlock will work nicely if I use it to lock non-X consoles and then use gnome-screensaver to lock my X session. We'll see how that goes.

Well there's no need to use both of them: vlock is able to lock everything including X using the -a and -n command line switches. Just make sure to add your user to the vlock group.

Leonid.I · 2010-07-21 14:42:27

MkFly wrote:

Honestly, I've never set up such permissions. Reading online, I see it's used to allow or deny connections to the X Server running on my machine? Is that right? Where would that be applicable, and how does it differ from say ... allowing X11 Forwarding over an SSH connection?

Well, X over ssh is the preferred way. However, say you want to run gvim as root. This will cause an error, if xhost is configured in a wrong way. However, I don't know the default settings in Xserver 1.8 -- maybe it is obsolescent.

Anyway, it's beside the point... I checked on my laptop -- indeed one can gain access to tty even in the presence of xscreensaver

Last edited by Leonid.I (2010-07-21 14:44:45)

MkFly · 2010-07-21 16:13:35

ber_t wrote:

Well there's no need to use both of them: vlock is able to lock everything including X using the -a and -n command line switches. Just make sure to add your user to the vlock group.

That's perfect, thanks! It's not a GUI lock, but I actually like this better, since it locks everything in the same manner from the same program.

Leonid.I wrote:

Well, X over ssh is the preferred way. However, say you want to run gvim as root. This will cause an error, if xhost is configured in a wrong way. However, I don't know the default settings in Xserver 1.8 -- maybe it is obsolescent.

So would it only really apply when trying to run X programs as root? The only machines where I SSH into as root are servers without X anyway.

Leonid.I · 2010-07-21 18:06:51

MkFly wrote:

ber_t wrote:
Well there's no need to use both of them: vlock is able to lock everything including X using the -a and -n command line switches. Just make sure to add your user to the vlock group.
That's perfect, thanks! It's not a GUI lock, but I actually like this better, since it locks everything in the same manner from the same program.

Have you seen this?
http://www.gentoo-wiki.info/TIP_Fix_The … urity_Hole
I especially like the screen thing.

MkFly wrote:

Leonid.I wrote:
Well, X over ssh is the preferred way. However, say you want to run gvim as root. This will cause an error, if xhost is configured in a wrong way. However, I don't know the default settings in Xserver 1.8 -- maybe it is obsolescent.
So would it only really apply when trying to run X programs as root? The only machines where I SSH into as root are servers without X anyway.

You can still run graphical programs as another local user via su, right?

Last edited by Leonid.I (2010-07-21 18:08:01)

reinie · 2014-02-28 11:36:47

I guess I have a similar problem as I am attempting to lock all user tty´s when smartcard is detached from system.

card_eventmgr.conf is set as

pkcs11_eventmgr
{...

# Card has been removed
event card_remove
{
on_error = ignore;
action = "xscreensaver-command -lock"; #works on tty7 with graphical x
#"vlock -a" not working the question is how to lock all possible tty´s at once
}

I would like to use "vlock -a" to lock all possible logins from user on tty1-10.

away Gone >/dev/tty1 is not locking the tty1 either.

Is it even possible to lock all sessions floating around at once?

ewaller · 2014-02-28 15:25:15

reinie,
First, welcome to Arch Linux. There is nothing wrong with your post (pretty darn good for a first post )
But, this thread is a bit old. Even though your post is relevant, I am going to go ahead and close this thread. Much has changed in four years; Gnome and the Kernel especially. Rather than mix old solutions with new solutions, I ask that you go ahead and start a new thread. Use BBCode links back to this thread if you feel it this thread is still relevant. This also gives you the advantage of being the original poster in the thread. That gives you some control over the direction of the thread.

Thanks.

Arch Linux

#1 2010-07-19 19:57:50

[SOLVED] Lock screen without display manager, can still change tty

#2 2010-07-19 20:30:28

Re: [SOLVED] Lock screen without display manager, can still change tty

#3 2010-07-19 21:27:03

Re: [SOLVED] Lock screen without display manager, can still change tty

#4 2010-07-19 22:03:44

Re: [SOLVED] Lock screen without display manager, can still change tty

#5 2010-07-20 04:18:03

Re: [SOLVED] Lock screen without display manager, can still change tty

#6 2010-07-20 05:50:04

Re: [SOLVED] Lock screen without display manager, can still change tty

#7 2010-07-20 16:20:13

Re: [SOLVED] Lock screen without display manager, can still change tty

#8 2010-07-20 17:06:52

Re: [SOLVED] Lock screen without display manager, can still change tty

#9 2010-07-20 17:34:32

Re: [SOLVED] Lock screen without display manager, can still change tty

#10 2010-07-20 18:51:51

Re: [SOLVED] Lock screen without display manager, can still change tty

#11 2010-07-20 19:20:43

Re: [SOLVED] Lock screen without display manager, can still change tty

#12 2010-07-21 10:12:14

Re: [SOLVED] Lock screen without display manager, can still change tty

#13 2010-07-21 14:42:27

Re: [SOLVED] Lock screen without display manager, can still change tty

#14 2010-07-21 16:13:35

Re: [SOLVED] Lock screen without display manager, can still change tty

#15 2010-07-21 18:06:51

Re: [SOLVED] Lock screen without display manager, can still change tty

#16 2014-02-28 11:36:47

Re: [SOLVED] Lock screen without display manager, can still change tty

#17 2014-02-28 15:25:15

Re: [SOLVED] Lock screen without display manager, can still change tty

Board footer