Screen Locker (In)Security - Can we disable these at least 4 backdoors?

Shouldn’t xscreensaver disable Ctrl-Alt-Backspace while the screen is locked?

Yes, it should. Unfortunately, that’s not possible with current versions of XFree86 or XOrg. It’s as if the developers of X11 and the Linux kernel want to make it as hard as possible for you to lock your screen.

[…]

A lot ways to disable the screensaver.

We might have to reconsider SysRq (Magic SysRq key) as per:

Backdoor #3: Alt-SysRq-F .

This is the Linux kernel “OOM-killer” keystroke. It shoots down random long-running programs of its choosing, and so might might target and kill xscreensaver, and there’s no way for xscreensaver to protect itself from that. You can disable it globally with: sudo ‘echo 176 > /proc/sys/kernel/sysrq’

2 Likes

Yeah so it’s a good argument for applying a mask rather than enabling or throwing out the feature entirely.

1 Like

There is quite a lot more to it than just SysRq. Hence asked in title

Can we disable these at least 4 backdoors?

Quote XScreenSaver FAQ

It’s as if the developers of X11 and the Linux kernel want to make it as hard as possible for you to lock your screen.

Backdoor #1: Ctrl-Alt-Backspace .

This keystroke kills the X server, and on some systems, leaves you at a text console. If the user launched X11 manually, that text console will still be logged in. To disable this keystroke globally and permanently, you need to set the DontZap flag in your xorg.conf or XF86Config or XF86Config-4 file (whichever name is in use on your system). See the manual for XF86Config (or variant) for more details.

Backdoor #2: Ctrl-Alt-F1 , Ctrl-Alt-F2 , etc.

These keystrokes will switch to a different virtual console, while leaving the console that X11 is running on locked. If you left a shell logged in on another virtual console, it is unprotected. So don’t leave yourself logged in on other consoles. You can disable VT switching globally and permanently by setting DontVTSwitch in your xorg.conf, but that might make your system harder to use.

Backdoor #3: Alt-SysRq-F .

This is the Linux kernel “OOM-killer” keystroke. It shoots down random long-running programs of its choosing, and so might might target and kill xscreensaver, and there’s no way for xscreensaver to protect itself from that. You can disable it globally with: sudo ‘echo 176 > /proc/sys/kernel/sysrq’

(As of version 5.41, if xscreensaver is setuid, and you are running Linux 2.6.37 or newer, xscreensaver attempts to request that the kernel’s out-of-memory assassin not randomly unlock the screen on you, but it’s only a request.)

Backdoor #4: Ctrl-Alt-KP_Multiply .

This keystroke kills any X11 app that holds a lock, so typing this will kill xscreensaver and unlock the screen. This “feature” showed up in the X server in 2008, and as of 2011, some vendors are shipping it turned on by default. How nice. You can disable it by turning off AllowClosedownGrabs in xorg.conf.

There’s little that I can do to make the screen locker secure so long as the kernel and X11 developers are actively working against security. The strength of the lock on your front door doesn’t matter much so long as someone else in the house insists on leaving a key under the welcome mat.

In an ideal world, there would be a single X11 request named something like XGrabMagicKeys() that would, analagously to XGrabKeyboard(), disable all of these magic keystrokes until the grab was released or the program exited. It should be an X11 call, not an ioctl(), and especially not a root-only ioctl(). Needless to say, no such interface exists.

Does not do anything for me. Seems disabled. Could you please confirm that it does not do anything for you too?

This is now mentioned in documentation:
Protection Against Physical Attacks: Difference between revisions - Whonix

Should we set DontVTSwitch in xorg configuration by default?

And/or Auto Logout Virtual Console on Inactivity?

nothing here

1 Like

GetViewPortIsFullOfLies:True should be set in .xscreensaver to prevent anyone getting a partial screen if connected to a monitor with higher resolution.

Vlock is probably a better solution than Xscreensaver; it’s simpler and not tricky to use. Xscreensaver is still buggy and can lock the screen with the whole area visible. I had a problem losing my session with vlock in Debian, though. I’m not sure why that was happening.

1 Like

VT switch is possible in Qubes.

1 Like

vlock can be considered.

Do we need a pre-installed screen saver anyhow? Maybe screensaver can still be useful even nowadays. But do we have to rely on the screen locking mechanism of the screensaver?

Could we rely on the screen lock feature of a / the login manager (currently: lightdm)?

Perhaps another alternative would be autolog?

https://manpages.debian.org/buster/autolog/autolog.conf.5.en.html

XFCE Power Manager might be another alternative?
https://docs.xfce.org/xfce/xfce4-power-manager/1.4/preferences

XFCE Power Manager can lock the screen when laptop lid is closed. Screenshot:
https://docs.xfce.org/_media/xfce/xfce4-power-manager/1.4/xfpm-general.png

XFCE Power Manager can also lock the screen on inactivity. Screenshot:
https://docs.xfce.org/_media/xfce/xfce4-power-manager/1.4/xfpm-system.png

Does not do anything for me. Seems disabled. Could you please confirm that it does not do anything for you too?

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=347803 say this is obsolete. Cannot find this option in man page xorg.conf(5) — xserver-xorg-core — Debian buster — Debian Manpages anymore.

Seems removed from upstream X. Only mentions are in archived man pages.

site:https://www.x.org AllowClosedownGrabs

SysRq should be sufficiently tamed already. Separate forum thread:

Seems Debian never supported this, but only the virtual console via sysrq

https://www.linuxquestions.org/questions/debian-26/debian-not-excepting-password-when-screen-is-locked-unless-i-restart-4175678668/#post6145364

This text is quite dated. Nowadays, most vendors (I believe Debian, too) ship their systems with Ctrl+Alt+Backspace and Ctrl+Alt+KP_Multiply disabled by default. But virtual consoles and the Magic SysRq key should be enabled in Debian.

1 Like

Here is some data that can help you harden Xscreensaver. I’m not going to commit to provide further technical resources at this site. Thank you for your work on this important software!

The first 3 options are found at /etc/X11/xorg.conf

Backdoor: Ctrl+Alt+Backspace
“DontZap” → man for xorg.conf/XF86Config
Backdoor: VT Switching
“DontVTSwitch” → man for xorg.conf/XF86Config
Backdoor: “AllowCloseDownGrabs” (Not currently in code, last bug issue comment in 2017. Before that, resolved 2013.

Backdoor: suggestion (kernel.sysrq=132)
https://kernel.org/doc/Documentation/sysrq.txt
sysctl '/proc/sys/vm/oom_kill_allocating_task * set to non-zero kills the memory hog.
https://sysctl-explorer.net/VM/oom_kill_allocating_task

1 Like