Linux – Is locking the screen safe

gnomelinuxSecurity

See USB driver bug exposed as "Linux plug&pwn", or this link

Two choices [GNOME, Fedora 14]:

Use the gnome-screensaver
Use the "switch user" function [gnome menu -> log out -> switch user]

So the question is: which one is the safer method to lock the screen if a user leaves the pc?

Is it true that using the [2] method is safer? The way I see it, the gnome-screensaver is just a "process", it could be killed. But if you use the log out/switch user function, it's "something else". Using the "switch user" function, could there be a problem like with the gnome-screensaver? Could someone "kill a process" and presto…the lock is removed? Could the GDM [??] "login windows process" get killed and the "lock" gets owned?

Screenshot of the GDM login window process

If the [2] method is safer, then how can i put an icon on the GNOME panel, to launch the "switch user" action by 1 click?

Best Answer

Well your first link is about kernel mode arbitraty code execution there is not much you can do against that. Logging out won't help. Grsecurity and PaX could prevent this but I'm not sure. It surely protect against introducing new executable code but I can't find any evidence that it randomizes where the kernel code is located which means an exploit could use the code already in executable memory to perform arbitrary operations (a method known as return-oriented-programming). Since this overflow happens on the heap compiling the kernel with -fstack-protector-all won't help. Keeping the kernel up to date and people with pendrives away seems to be your best bet.

The second method is the result of a badly written screensaver which means logging out prevents that particular bug. Even if the attacker kills GDM he will not get in. Try killing it yourself from SSH. You get a black screen or a text-mode console. Besides AFAIK GDM runs as root (like login) so the attacker would need root privileges to kill it.

Switching users don't have this effect. When you switch user the screen is locked with the screensaver and GDM is started on the next virtual terminal. You can press [ctrl]+[alt]+[f7] to get back to the buggy screensaver.

Related Solutions

Debian – How to make a system lock when the USB pendrive with authentication key is removed

This was answered over on Ask Ubuntu. The answers there seem like they would work on many *nixes.

Bash – set a bash timeout only for virtual consoles (ctrl+alt+{f1-f6})

You could check if you are running in a graphical terminal and only set TMOUT if you are not. An easy way to do this is the tty command:

   tty - print the file name of the terminal connected to standard input

When run from a GUI terminal emulator:

$ tty
/dev/pts/5

When run from a virtual console:

$ tty
/dev/tty2

So, adding these lines to your ~/.profile should kill your bash session after ten minutes:

tty | grep tty >/dev/null && TMOUT=600

Best Answer

Related Solutions

Debian – How to make a system lock when the USB pendrive with authentication key is removed

Bash – set a bash timeout only for virtual consoles (ctrl+alt+{f1-f6})

Related Question