Screen Locker (In)Security - Can we disable these at least 4 backdoors?

Shouldn’t xscreensaver disable Ctrl-Alt-Backspace while the screen is locked?

Yes, it should. Unfortunately, that’s not possible with current versions of XFree86 or XOrg. It’s as if the developers of X11 and the Linux kernel want to make it as hard as possible for you to lock your screen.

[…]

A lot ways to disable the screensaver.

We might have to reconsider SysRq (Magic SysRq key) as per:

Backdoor #3: Alt-SysRq-F .

This is the Linux kernel “OOM-killer” keystroke. It shoots down random long-running programs of its choosing, and so might might target and kill xscreensaver, and there’s no way for xscreensaver to protect itself from that. You can disable it globally with: sudo ‘echo 176 > /proc/sys/kernel/sysrq’

Yeah so it’s a good argument for applying a mask rather than enabling or throwing out the feature entirely.

There is quite a lot more to it than just SysRq. Hence asked in title

Can we disable these at least 4 backdoors?

Quote XScreenSaver FAQ

It’s as if the developers of X11 and the Linux kernel want to make it as hard as possible for you to lock your screen.

Backdoor #1: Ctrl-Alt-Backspace .

This keystroke kills the X server, and on some systems, leaves you at a text console. If the user launched X11 manually, that text console will still be logged in. To disable this keystroke globally and permanently, you need to set the DontZap flag in your xorg.conf or XF86Config or XF86Config-4 file (whichever name is in use on your system). See the manual for XF86Config (or variant) for more details.

Backdoor #2: Ctrl-Alt-F1 , Ctrl-Alt-F2 , etc.

These keystrokes will switch to a different virtual console, while leaving the console that X11 is running on locked. If you left a shell logged in on another virtual console, it is unprotected. So don’t leave yourself logged in on other consoles. You can disable VT switching globally and permanently by setting DontVTSwitch in your xorg.conf, but that might make your system harder to use.

Backdoor #3: Alt-SysRq-F .

This is the Linux kernel “OOM-killer” keystroke. It shoots down random long-running programs of its choosing, and so might might target and kill xscreensaver, and there’s no way for xscreensaver to protect itself from that. You can disable it globally with: sudo ‘echo 176 > /proc/sys/kernel/sysrq’

(As of version 5.41, if xscreensaver is setuid, and you are running Linux 2.6.37 or newer, xscreensaver attempts to request that the kernel’s out-of-memory assassin not randomly unlock the screen on you, but it’s only a request.)

Backdoor #4: Ctrl-Alt-KP_Multiply .

This keystroke kills any X11 app that holds a lock, so typing this will kill xscreensaver and unlock the screen. This “feature” showed up in the X server in 2008, and as of 2011, some vendors are shipping it turned on by default. How nice. You can disable it by turning off AllowClosedownGrabs in xorg.conf.

There’s little that I can do to make the screen locker secure so long as the kernel and X11 developers are actively working against security. The strength of the lock on your front door doesn’t matter much so long as someone else in the house insists on leaving a key under the welcome mat.

In an ideal world, there would be a single X11 request named something like XGrabMagicKeys() that would, analagously to XGrabKeyboard(), disable all of these magic keystrokes until the grab was released or the program exited. It should be an X11 call, not an ioctl(), and especially not a root-only ioctl(). Needless to say, no such interface exists.

Does not do anything for me. Seems disabled. Could you please confirm that it does not do anything for you too?

This is now mentioned in documentation:
Protection Against Physical Attacks: Difference between revisions - Whonix

Should we set DontVTSwitch in xorg configuration by default?

And/or Auto Logout Virtual Console on Inactivity?

nothing here

GetViewPortIsFullOfLies:True should be set in .xscreensaver to prevent anyone getting a partial screen if connected to a monitor with higher resolution.

Vlock is probably a better solution than Xscreensaver; it’s simpler and not tricky to use. Xscreensaver is still buggy and can lock the screen with the whole area visible. I had a problem losing my session with vlock in Debian, though. I’m not sure why that was happening.

VT switch is possible in Qubes.

vlock can be considered.

Do we need a pre-installed screen saver anyhow? Maybe screensaver can still be useful even nowadays. But do we have to rely on the screen locking mechanism of the screensaver?

Could we rely on the screen lock feature of a / the login manager (currently: lightdm)?

Perhaps another alternative would be autolog?

https://manpages.debian.org/buster/autolog/autolog.conf.5.en.html

XFCE Power Manager might be another alternative?
https://docs.xfce.org/xfce/xfce4-power-manager/1.4/preferences

XFCE Power Manager can lock the screen when laptop lid is closed. Screenshot:
https://docs.xfce.org/_media/xfce/xfce4-power-manager/1.4/xfpm-general.png

XFCE Power Manager can also lock the screen on inactivity. Screenshot:
https://docs.xfce.org/_media/xfce/xfce4-power-manager/1.4/xfpm-system.png

Does not do anything for me. Seems disabled. Could you please confirm that it does not do anything for you too?

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=347803 say this is obsolete. Cannot find this option in man page xorg.conf(5) — xserver-xorg-core — Debian buster — Debian Manpages anymore.

Seems removed from upstream X. Only mentions are in archived man pages.

site:https://www.x.org AllowClosedownGrabs

SysRq should be sufficiently tamed already. Separate forum thread:

Seems Debian never supported this, but only the virtual console via sysrq

https://www.linuxquestions.org/questions/debian-26/debian-not-excepting-password-when-screen-is-locked-unless-i-restart-4175678668/#post6145364

This text is quite dated. Nowadays, most vendors (I believe Debian, too) ship their systems with Ctrl+Alt+Backspace and Ctrl+Alt+KP_Multiply disabled by default. But virtual consoles and the Magic SysRq key should be enabled in Debian.

Here is some data that can help you harden Xscreensaver. I’m not going to commit to provide further technical resources at this site. Thank you for your work on this important software!

The first 3 options are found at /etc/X11/xorg.conf

Backdoor: Ctrl+Alt+Backspace
“DontZap” → man for xorg.conf/XF86Config
Backdoor: VT Switching
“DontVTSwitch” → man for xorg.conf/XF86Config
Backdoor: “AllowCloseDownGrabs” (Not currently in code, last bug issue comment in 2017. Before that, resolved 2013.

Backdoor: suggestion (kernel.sysrq=132)
https://kernel.org/doc/Documentation/sysrq.txt
sysctl '/proc/sys/vm/oom_kill_allocating_task * set to non-zero kills the memory hog.
https://sysctl-explorer.net/VM/oom_kill_allocating_task

Quick overview of where we are in Whonix 18 when it comes to screen locker backdoors:

Backdoor #1: Ctrl-Alt-Backspace .

Does not appear to be a problem. Ctrl-Alt-Backspace does nothing in Whonix-Workstation 18 with labwc. No files under /usr or /etc contain configuration that binds the Exit action in labwc to a keyboard shortcut, and it doesn’t appear at first glance that there is any keyboard shortcut designed to terminate labwc hardcoded in the source code.

Backdoor #2: Ctrl-Alt-F1 , Ctrl-Alt-F2 , etc.

Technically this is still a problem, but I don’t really consider this to be a backdoor at all. “If you’re logged in somewhere other than your graphical session, someone can switch to that session and have access” is just how systems that allow multiple logins work, if you log in somewhere and don’t log out, someone else could use that login. If we wanted to, we could disable additional VTs, but I see no tangible benefit in doing so, and would expect this would result in serious issues for users who end up with a broken GUI login.

Backdoor #3: Alt-SysRq-F .

Magic SysRq is entirely disabled on Whonix and has been for a while.

Backdoor #4: Ctrl-Alt-KP_Multiply .

Seems to be registered as a normal keypress with Swaylock, doesn’t do anything special. labwc does not appear to document any configuration options in labwc that allow force-unlocking the screen, nor does man swaylock. One possibly backdoor-like feature is that one can make swaylock unlock the screen without a password by sending a SIGUSR1 to the swaylock process, but that requires the ability to send signals to processes running as the user you are attacking, which is very close to (if not equivalent to) arbitrary code execution privileges. If an attacker has arbitrary code execution as the user they are attacking, bypassing the screenlocker is most likely the least of the victim’s worries.

One other related issue worth looking at:

As covered in XScreenSaver Manual, the OOM killer may take out a process like the screen locker even though Magic SysRq is disabled; all that has to happen is one must actually run out of memory. (This could happen if someone is using the system remotely over ssh while the screen is locked, or if the screen become locked while a lot of browser tabs were open and one of them is consuming more and more memory.) There is no good way to disable the OOM killer (the documented solution is to disable memory overcommit, but that’s a problem because some security features rely on it (in particular AddressSanitizer attempts to allocate somewhere around 20 terabytes of virtual memory, at least with the way it’s currently used in kloak). The other alternative is to enable panic_on_oom, which will cause the entire system to crash if it runs out of memory. I think the latter sounds like a good idea - it allows memory overcommit to work, and prevents unlocking the screen. The only real danger is that it could print out debugging details to a virtual terminal upon memory exhaustion, it’s unclear whether or not this may contain sensitive info or not. But I think we disable printing kernel messages to the display anyway…

tl;dr: of all the above - It looks like we’re mostly good, but we should consider enabling panic_on_oom.

This has been implemented.

Will be released together with Kicksecure (and Whonix) 18 and above.