Qubes by default protected from this key combinations?
Backdoor #1: Ctrl-Alt-Backspace.
This keystroke kills the X server, and on some systems, leaves you at a
text console. If the user launched X11 manually, that text console will
still be logged in. To disable this keystroke globally and permanently, you
need to set the DontZap flag in your xorg.conf or XF86Config or
XF86Config-4 file (whichever name is in use on your system). See the manual
for XF86Config (or variant) for more details.
Backdoor #3: Alt-SysRq-F.
This is the Linux kernel "OOM-killer" keystroke. It shoots down random
long-running programs of its choosing, and so might might target and kill
xscreensaver, and there's no way for xscreensaver to protect itself from
that. You can disable it globally with: sudo 'echo 176 >
(As of version 5.41, if xscreensaver is setuid, and you are running
Linux 2.6.37 or newer, xscreensaver attempts to request that the kernel's
out-of-memory assassin not randomly unlock the screen on you, but it's only
Backdoor #4: Ctrl-Alt-KP_Multiply.
This keystroke kills any X11 app that holds a lock, so typing this will
kill xscreensaver and unlock the screen. This "feature" showed up in the X
server in 2008, and as of 2011, some vendors are shipping it turned on by
default. How nice. You can disable it by turning off AllowClosedownGrabs in
There's little that I can do to make the screen locker secure so long as
the kernel and X11 developers are actively working against security. The
strength of the lock on your front door doesn't matter much so long as
someone else in the house insists on leaving a key under the welcome mat.
In an ideal world, there would be a single X11 request named something like
XGrabMagicKeys() that would, analagously to XGrabKeyboard(), disable all of
these magic keystrokes until the grab was released or the program exited.
It should be an X11 call, not an ioctl(), and especially not a root-only
ioctl(). Needless to say, no such interface exists.
You received this message because you are subscribed to the Google Groups
To unsubscribe from this group and stop receiving emails from it, send an email
To view this discussion on the web visit