Lock Screen as root

Sat May 27 06:41:05 UTC 2006

Erik Hemdal wrote:
>> Erik Hemdal wrote:
>>
>>     
>>> On the gnome-list, a posting noted that one can bypass the 
>>>       
>> screensaver
>>     
>>> anyway with CTRL-ALT-F1, so logging in as root is dangerous.  But I
>>> tried this, and while I can bypass the screensaver, I still 
>>>       
>> must log in
>>     
>>> to my virtual terminals.  So no loss of security.
>>>       
>> If root did a graphical login, you're right.
>>
>> But if root has started the X session with "startx" in one of 
>> the virtual
>> terminal, you can go to that virtual terminal, do a Ctrl-C (killing X)
>> and get a root shell.
>>     
>
> Thank you Roberto,  I was beginning to think that maybe I had grown an extra
> head or something that made others not want to answer the question.  Or
> maybe this is another bit of GNOME design wisdom that is just
> incomprehensible to me and obvious to everyone else.  I appreciate that you
> took the time to try to explain a dangerous case.
>
> I tried your idea and you're right, of course.  Launching X via startx is
> insecure because it does nothing to secure root's original login shell.  But
> preventing root from locking the screen doesn't make this "startx" case more
> secure.  And preventing locking after root does a graphical login _does_
> make the system a bit less secure; particularly when the Preferences GUI
> says root can do it.  
>
> Certainly, you don't want to routinely do this.  But this behavior seems
> inconsistent to the point of being a defect.  I can understand that there
> might be a security hole if the screensaver has to make connections to what
> might be a remote X server (I can remember at least one system on which X
> would fail to start if the network interface was unterminated).  But if this
> is so dangerous, why not prevent graphical root logins altogether?
>
> I'm still in the hunt for a good explanation of the behavior, so I'll keep
> looking.
>
> Erik
>
>   
>> Best regards.
>> -- 
>>    Roberto Ragusa    mail at robertoragusa.it
>>     
>
>
>   
While an X session is generated by a startx, a user can issue a 
Ctrl+Alt+Backspace to kill the X session, giving access to that 
account's cmd-line. This can also be done when the screen is locked. If 
the machine is running init 5 and it is the default X session, this only 
restarts the X session and doesn't give cmd-line access.

Although I prefer init 3, I have been running 5 to get around this. I 
might research the possibility of deactivating Ctrl+Alt+Backspace while 
having the screen locked. But still, a more savvy badguy/girl will know 
about either method of getting access. =(

But for the use of root: Don't log in as root to a GUI, unless you are 
there using it. Log out when you are done. Better: use su or sudo in a 
user account using virtual terminals.

Stephen Mirowski