Many screen lockers (mine is i3lock) do not block access to other Virtual Terminals. This means that, if I leave a session opened in some VT, then even when the desktop is locked (for example when resuming), a malicious person can switch to the VT and do anything.
This is an actual issue for me, as I occasionally switch to a VT, then switch back to the graphical environment and forget to log out from the VT.
The question then is: how to add VT-locking on top of an existing screen locker?
The Arch Linux wiki suggests to simply disable VTs from Xorg, with this piece of configuration for the X server:
Section "ServerFlags"
# disable VT switching:
Option "DontVTSwitch" "True"
# disable “zapping”, ie. killing the X server with Ctrl-Alt-Bksp:
Option "DontZap" "True"
EndSection
This is not an option since I use VTs, as already explained above. Maybe one solution would be to set and reset those options dynamically, but I found nothing to change X server options at runtime, at least in general (there are things like setxkbmap
for keyboard layouts, or xset
for misc stuff). Is this possible?
I also found the command vlock -a
which, when called from a text-based VT, locks the session and disable VT switching. However, it does not work from the graphical environment, and would anyway be redundant with the graphical screen locker.
How can I solve this problem?
Best Answer
I did it with a not-so-graceful way: first, changed to the first terminal with
chvt
(that's where myslock
locker will be running), then disabled the keys F1 to F12 withxmodmap
in asystemd
unit called aftersleep.target
, and enabled them back afterresume.target
, and it seems to be working fine.systemd
Unit:disableVTS.sh
script: