Re: Security Implications of running startx from command line - was Re: Startx: was Great Debian experience

To: debian-user@lists.debian.org
Subject: Re: Security Implications of running startx from command line - was Re: Startx: was Great Debian experience
From: "Steve Litt of Troubleshooters.Com" <littdom@gmail.com>
Date: Wed, 19 Mar 2014 22:48:49 -0400
Message-id: <[🔎] 20140319224849.1b1aaec5@mydesk>
In-reply-to: <[🔎] CAOsGNSSDt+5w-tEAiJNkFNkL0TMcLF4LjUiOkkW+oXDFiei2pQ@mail.gmail.com>
References: <[🔎] CAOsGNSSDt+5w-tEAiJNkFNkL0TMcLF4LjUiOkkW+oXDFiei2pQ@mail.gmail.com>

On Thu, 20 Mar 2014 12:44:21 +1100
Zenaan Harkness <zen@freedbms.net> wrote:

> > Yeah, when making a machine for a less technical or less
> > command-prompt comfortable person, I like to have it boot into GUI
> > via the desktop manager. But when setting it up for myself or for
> > people technically sharp enough to log in and then type
> > "startx" (and people you can trust with the command prompt), I like
> > to boot to the command prompt.
> 
> When logging in at the Linux console (on current kernels at least),
> then running startx, there is a security problem:
> 
> Anyone with physical access to your computer could:
> 
> a) logout of your gui session (if it's not screensaver locked), taking
> them back to your command line, and depending on your settings of
> /etc/sudoers tty_tickets or respectively !tty_tickets setting - see
> man sudoers) might give them instant root access;
> either way, mischief may ensure.
> 
> b) type Ctrl-Alt-F1 (for example), followed by Ctrl-C to kill your gui
> session, notwithstanding if you even have it gui locked
> 
> 
> SO: what to do?
> 
> What I did for a while was:
> a) log in to Linux console
> b) startx; exit
> 
> This way, when the gui (X in this case) exits for any reason, then the
> console shell session logs out automatically.
> 
> That's fine, but requires more typing, and remembering to add the
> extra "; exit" command.
> 
> So to optimize, simply put the sequency "startx; exit" (or similar)
> into a shell function - I use the name "se" since it's less to type :)
> 
> So now I use:
> a) log in to Linux console
> b) se
> 
> Happy and safe sessions to all,
> Zenaan

Outstanding! I'm going to start doing that. Thanks.

What shellscript contains the se function on your system?

Of course, if a badguy has physical access, then you're pretty much
screwed anyway: If you don't have a bios password they can boot System
Rescue CD, mount your root partition, delete the x in the second field
of root's record (or your record if there's no root), log in, press
enter, log in, change the password to something they like, and have
their way with the machine.

But I still like your se, and will do that.

Thanks,

SteveT

Steve Litt                *  http://www.troubleshooters.com/
Troubleshooting Training  *  Human Performance

Reply to:

Follow-Ups:
- Re: Security Implications of running startx from command line - was Re: Startx: was Great Debian experience
  - From: Zenaan Harkness <zen@freedbms.net>
- Re: Security Implications of running startx from command line - was Re: Startx: was Great Debian experience
  - From: Scott Ferguson <scott.ferguson.debian.user@gmail.com>
- Re: Security Implications of running startx from command line - was Re: Startx: was Great Debian experience
  - From: Brian <ad44@cityscape.co.uk>

References:
- Security Implications of running startx from command line - was Re: Startx: was Great Debian experience
  - From: Zenaan Harkness <zen@freedbms.net>

Prev by Date: Re: Great Debian experience
Next by Date: Re: lighttpd server configs
Previous by thread: Security Implications of running startx from command line - was Re: Startx: was Great Debian experience
Next by thread: Re: Security Implications of running startx from command line - was Re: Startx: was Great Debian experience
Index(es):
- Date
- Thread