Lock Screen as root
Stephen Mirowski
spmirowski at shaw.ca
Sat May 27 06:41:05 UTC 2006
Erik Hemdal wrote:
>> Erik Hemdal wrote:
>>
>>
>>> On the gnome-list, a posting noted that one can bypass the
>>>
>> screensaver
>>
>>> anyway with CTRL-ALT-F1, so logging in as root is dangerous. But I
>>> tried this, and while I can bypass the screensaver, I still
>>>
>> must log in
>>
>>> to my virtual terminals. So no loss of security.
>>>
>> If root did a graphical login, you're right.
>>
>> But if root has started the X session with "startx" in one of
>> the virtual
>> terminal, you can go to that virtual terminal, do a Ctrl-C (killing X)
>> and get a root shell.
>>
>
> Thank you Roberto, I was beginning to think that maybe I had grown an extra
> head or something that made others not want to answer the question. Or
> maybe this is another bit of GNOME design wisdom that is just
> incomprehensible to me and obvious to everyone else. I appreciate that you
> took the time to try to explain a dangerous case.
>
> I tried your idea and you're right, of course. Launching X via startx is
> insecure because it does nothing to secure root's original login shell. But
> preventing root from locking the screen doesn't make this "startx" case more
> secure. And preventing locking after root does a graphical login _does_
> make the system a bit less secure; particularly when the Preferences GUI
> says root can do it.
>
> Certainly, you don't want to routinely do this. But this behavior seems
> inconsistent to the point of being a defect. I can understand that there
> might be a security hole if the screensaver has to make connections to what
> might be a remote X server (I can remember at least one system on which X
> would fail to start if the network interface was unterminated). But if this
> is so dangerous, why not prevent graphical root logins altogether?
>
> I'm still in the hunt for a good explanation of the behavior, so I'll keep
> looking.
>
> Erik
>
>
>> Best regards.
>> --
>> Roberto Ragusa mail at robertoragusa.it
>>
>
>
>
While an X session is generated by a startx, a user can issue a
Ctrl+Alt+Backspace to kill the X session, giving access to that
account's cmd-line. This can also be done when the screen is locked. If
the machine is running init 5 and it is the default X session, this only
restarts the X session and doesn't give cmd-line access.
Although I prefer init 3, I have been running 5 to get around this. I
might research the possibility of deactivating Ctrl+Alt+Backspace while
having the screen locked. But still, a more savvy badguy/girl will know
about either method of getting access. =(
But for the use of root: Don't log in as root to a GUI, unless you are
there using it. Log out when you are done. Better: use su or sudo in a
user account using virtual terminals.
Stephen Mirowski
More information about the fedora-list
mailing list