I’m not a fan of graphical X login managers. I prefer startx.
But startx out of the box at public places can be dangerous. You can lock your desktop with xscreensaver-command -lock. This doesnt block other people out. They can just go to your tty where you started your xsession(ctrl+alt+f1) and press controll+c and your xsession is killed and they have access to your user. This is dangerous. I used slim as a login manager. But that crashed several times a day and logged med out and kill the applications I had running. So I decided to go back to using startx. And then I had to find out how to lock down your xsession.
So how do you disable access to your tty?
First shutdown your xsession and go back to the console.
Then install a program called vlock (using your package manager / slackbuilds).
Then put these lines in your .bashrc (assuming you are using bash)
startx() {
nohup startx "$@" > /dev/null 2&>1 &
disown
vlock }
And start your xsession. If anyone tries to go to your tty now they have to type in your password to get access to it.
But even if we have locked down access to the tty, someone can still kill your xsession using ctrl+alt+backspace.
To disable ctrl+alt+backspace we need one line in /etc/X11/xorg.conf to disable that.
(If you dont use xorg.conf you have to create one)
Add this section to your xorg.conf
Section "ServerFlags" Option "DontZap" "true" EndSection
When you start your xsession now, you have locked down access to your tty and you cant kill your xsession using ctrl+alt+backspace.
Wouldn’t startx && exit have the same effect?
I get how this is a much better solution though.
Pingback: Linux – Sicherheit – startx – CTRL+C, CTRL+ALT+BACKSPACE und SysRQ « loggn.de – Mac OSX, Linux und manchmal auch Windows
I believe you have a typo in the line “nohup startx “$@” > /dev/null 2&>1 &”. The “2&>1″ should be “2>&1″ otherwise the xsession will not start or, at least in my case it did not until I made the correction.
Nice security tip!