You are not logged in.

#1 2010-07-19 19:57:50

MkFly
Member
From: Mars
Registered: 2009-12-10
Posts: 141

[SOLVED] Lock screen without display manager, can still change tty

I'm using Xfce without a display manager.  I just login from tty1 and startx.

When I lock the screen with gnome-screensaver -l or xlock, I can still change tty with Ctrl+Alt+(F1-F8), so anybody could just switch to tty1, kill X and have access to my account and machine.

Anybody know how I can work around this without installing a display manager?

Last edited by MkFly (2010-07-21 16:14:20)

Offline

#2 2010-07-19 20:30:28

oliver
Member
Registered: 2007-12-12
Posts: 448

Re: [SOLVED] Lock screen without display manager, can still change tty

I don't know whether this is opening up other issues, but I have the following block in my .bashrc

if [ -z "$DISPLAY" ] && [ $(tty)  == /dev/tty1 ] ; then
        startx & > /dev/null 2>&1 
fi

This still gives me the problem you have where someone could hit ctrl-alt-F1, then ctrl-c out of my startx session and have a shell...  but if you added something to the startx line, I think it would do what you want.  Something like:

if [ -z "$DISPLAY" ] && [ $(tty)  == /dev/tty1 ] ; then
        startx & > /dev/null 2>&1 && sleep 10 && exit
fi

so after logging into X, it sleeps for 10 seconds and then logs out (on tty1) leaving you logged into X on tty7.

There's probably a more graceful way to do it, but I just tested on my box and it worked as expected

Last edited by oliver (2010-07-20 00:42:01)

Offline

#3 2010-07-19 21:27:03

ber_t
Member
From: Berlin, Germany
Registered: 2010-03-10
Posts: 214
Website

Re: [SOLVED] Lock screen without display manager, can still change tty

If you want to use X while beeing logged in a console, you might as well try vlock.

Offline

#4 2010-07-19 22:03:44

Spot
Member
From: The Heart of Europe
Registered: 2008-12-20
Posts: 68

Re: [SOLVED] Lock screen without display manager, can still change tty

Or try "xscreensaver"

Offline

#5 2010-07-20 04:18:03

MkFly
Member
From: Mars
Registered: 2009-12-10
Posts: 141

Re: [SOLVED] Lock screen without display manager, can still change tty

oliver wrote:

so after logging into X, it sleeps for 10 seconds and then logs out (on tty1) leaving you logged into X on tty7.

Hmm.  That does work, but sometimes I actually *want* to be logged in to other tty consoles.  I guess really what I'm after is a way to disable tty switching when the screen is locked via xlock, gnome-screensaver, xscreensaver, etc.

ber_t wrote:

If you want to use X while beeing logged in a console, you might as well try vlock.

Double hmm.  I might be able to make something happen with that, thanks.

Spot wrote:

Or try "xscreensaver"

xscreensaver still lets you switch between virtual consoles when locked, I should have mentioned that one too.

Offline

#6 2010-07-20 05:50:04

loafer
Member
From: the pub
Registered: 2009-04-14
Posts: 1,772

Re: [SOLVED] Lock screen without display manager, can still change tty

MkFly wrote:

xscreensaver still lets you switch between virtual consoles when locked, I should have mentioned that one too.

According to the FAQs xscreensaver can't prevent this:

http://www.jwz.org/xscreensaver/faq.html


All men have stood for freedom...
For freedom is the man that will turn the world upside down.
Gerrard Winstanley.

Offline

#7 2010-07-20 16:20:13

MkFly
Member
From: Mars
Registered: 2009-12-10
Posts: 141

Re: [SOLVED] Lock screen without display manager, can still change tty

loafer wrote:

According to the FAQs xscreensaver can't prevent this:

Thanks for that:

http://www.jwz.org/xscreensaver/faq.html#no-ctl-alt-bs
Likewise, it's not possible for xscreensaver to prevent virtual-terminal switching (Ctrl-Alt-F1, etc), so don't leave yourself logged in on a non-X console and expect xscreensaver to be able to protect that console too...

I think vlock will work nicely if I use it to lock non-X consoles and then use gnome-screensaver to lock my X session.  We'll see how that goes. wink

Thanks guys.

Offline

#8 2010-07-20 17:06:52

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: [SOLVED] Lock screen without display manager, can still change tty

MkFly wrote:

xscreensaver still lets you switch between virtual consoles when locked, I should have mentioned that one too.

AFAIR I don't have this problem on my Arch machine, but do have it on Ubuntu. In Ubuntu I have kdm+gnome, so apparently, it's not a DM problem. I can check up on my Arch system, when I get back to it. In the mean time, can you post your .xinitrc?


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#9 2010-07-20 17:34:32

MkFly
Member
From: Mars
Registered: 2009-12-10
Posts: 141

Re: [SOLVED] Lock screen without display manager, can still change tty

Leonid.I wrote:

In the mean time, can you post your .xinitrc?

Oh, mine is pretty simple:

#!/bin/sh
exec ck-launch-session startxfce4

Offline

#10 2010-07-20 18:51:51

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: [SOLVED] Lock screen without display manager, can still change tty

... and you start xscreensaver as an autostart in XFCE, right? Try putting

xscreensaver -no-splash &

before exec in .xinitrc -- see if this helps.

EDIT: Also, try using xfce4-session instead of startxfce4. The latter is just a script, which calls the former, but there may be some tricks with permissions in there...

EDIT2: If you don't have a DM, where do you set up your xhost permissions?

Last edited by Leonid.I (2010-07-20 18:55:26)


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#11 2010-07-20 19:20:43

MkFly
Member
From: Mars
Registered: 2009-12-10
Posts: 141

Re: [SOLVED] Lock screen without display manager, can still change tty

Leonid.I wrote:

... and you start xscreensaver as an autostart in XFCE, right?

Normally, yes.

Leonid.I wrote:

Try putting

xscreensaver -no-splash &

before exec in .xinitrc -- see if this helps.

EDIT: Also, try using xfce4-session instead of startxfce4. The latter is just a script, which calls the former, but there may be some tricks with permissions in there...

Just tried all that, same outcome.

Leonid.I wrote:

EDIT2: If you don't have a DM, where do you set up your xhost permissions?

Honestly, I've never set up such permissions.  Reading online, I see it's used to allow or deny connections to the X Server running on my machine?  Is that right?  Where would that be applicable, and how does it differ from say ... allowing X11 Forwarding over an SSH connection?

Offline

#12 2010-07-21 10:12:14

ber_t
Member
From: Berlin, Germany
Registered: 2010-03-10
Posts: 214
Website

Re: [SOLVED] Lock screen without display manager, can still change tty

MkFly wrote:

I think vlock will work nicely if I use it to lock non-X consoles and then use gnome-screensaver to lock my X session.  We'll see how that goes. wink

Well there's no need to use both of them: vlock is able to lock everything including X using the -a and -n command line switches. Just make sure to add your user to the vlock group.

Offline

#13 2010-07-21 14:42:27

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: [SOLVED] Lock screen without display manager, can still change tty

MkFly wrote:

Honestly, I've never set up such permissions.  Reading online, I see it's used to allow or deny connections to the X Server running on my machine?  Is that right?  Where would that be applicable, and how does it differ from say ... allowing X11 Forwarding over an SSH connection?

Well, X over ssh is the preferred way. However, say you want to run gvim as root. This will cause an error, if xhost is configured in a wrong way. However, I don't know the default settings in Xserver 1.8 -- maybe it is obsolescent.

Anyway, it's beside the point... I checked on my laptop -- indeed one can gain access to tty even in the presence of xscreensaver hmm

Last edited by Leonid.I (2010-07-21 14:44:45)


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#14 2010-07-21 16:13:35

MkFly
Member
From: Mars
Registered: 2009-12-10
Posts: 141

Re: [SOLVED] Lock screen without display manager, can still change tty

ber_t wrote:

Well there's no need to use both of them: vlock is able to lock everything including X using the -a and -n command line switches. Just make sure to add your user to the vlock group.

That's perfect, thanks!  It's not a GUI lock, but I actually like this better, since it locks everything in the same manner from the same program.

Leonid.I wrote:

Well, X over ssh is the preferred way. However, say you want to run gvim as root. This will cause an error, if xhost is configured in a wrong way. However, I don't know the default settings in Xserver 1.8 -- maybe it is obsolescent.

So would it only really apply when trying to run X programs as root?  The only machines where I SSH into as root are servers without X anyway.

Offline

#15 2010-07-21 18:06:51

Leonid.I
Member
From: Aethyr
Registered: 2009-03-22
Posts: 999

Re: [SOLVED] Lock screen without display manager, can still change tty

MkFly wrote:
ber_t wrote:

Well there's no need to use both of them: vlock is able to lock everything including X using the -a and -n command line switches. Just make sure to add your user to the vlock group.

That's perfect, thanks!  It's not a GUI lock, but I actually like this better, since it locks everything in the same manner from the same program.

Have you seen this?
http://www.gentoo-wiki.info/TIP_Fix_The … urity_Hole
I especially like the screen thing.

MkFly wrote:
Leonid.I wrote:

Well, X over ssh is the preferred way. However, say you want to run gvim as root. This will cause an error, if xhost is configured in a wrong way. However, I don't know the default settings in Xserver 1.8 -- maybe it is obsolescent.

So would it only really apply when trying to run X programs as root?  The only machines where I SSH into as root are servers without X anyway.

You can still run graphical programs as another local user via su, right?

Last edited by Leonid.I (2010-07-21 18:08:01)


Arch Linux is more than just GNU/Linux -- it's an adventure
pkill -9 systemd

Offline

#16 2014-02-28 11:36:47

reinie
Member
Registered: 2014-02-28
Posts: 1

Re: [SOLVED] Lock screen without display manager, can still change tty

I guess I have a similar problem as I am attempting to lock all user tty´s when smartcard is detached from system.

card_eventmgr.conf is set as

pkcs11_eventmgr
{...

# Card has been removed
event card_remove
{
on_error = ignore;
        action =  "xscreensaver-command -lock"; #works on tty7 with graphical x
        #"vlock -a" not working the question is how to lock all possible tty´s at once
}


I would like to use "vlock -a" to lock all possible logins from user on tty1-10.

away Gone >/dev/tty1 is not locking the tty1 either.

Is it even possible to lock all sessions floating around at once?

Offline

#17 2014-02-28 15:25:15

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 19,739

Re: [SOLVED] Lock screen without display manager, can still change tty

reinie,
First, welcome to Arch Linux.  There is nothing wrong with your post (pretty darn good for a first post smile )
But, this thread is a bit old.  Even though your post is relevant, I am going to go ahead and close this thread.  Much has changed in four years; Gnome and the Kernel especially.  Rather than mix old solutions with new solutions, I ask that you go ahead and start a new thread.  Use BBCode links back to this thread if you feel it this thread is still relevant.  This also gives you the advantage of being the original poster in the thread.  That gives you some control over the direction of the thread.

Thanks.


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

Board footer

Powered by FluxBB