Re: [qubes-users] screenlock keycombinations

2020-10-27 Thread David Hobach 

On 10/27/20 2:37 PM, evado...@gmail.com wrote:

Qubes by default protected from this key combinations?


Backdoor #1: Ctrl-Alt-Backspace.

 This keystroke kills the X server, and on some systems, leaves you at a
text console. If the user launched X11 manually, that text console will
still be logged in. To disable this keystroke globally and permanently, you
need to set the DontZap flag in your xorg.conf or XF86Config or
XF86Config-4 file (whichever name is in use on your system). See the manual
for XF86Config (or variant) for more details.


Didn't work with physlock, but I don't have xscreenlock.
I wonder where #2 went. ;-)


Backdoor #3: Alt-SysRq-F.

 This is the Linux kernel "OOM-killer" keystroke. It shoots down random
long-running programs of its choosing, and so might might target and kill
xscreensaver, and there's no way for xscreensaver to protect itself from
that. You can disable it globally with: sudo 'echo 176 >
/proc/sys/kernel/sysrq'


I got "This sysrq operation is disabled" for that one.


 (As of version 5.41, if xscreensaver is setuid, and you are running
Linux 2.6.37 or newer, xscreensaver attempts to request that the kernel's
out-of-memory assassin not randomly unlock the screen on you, but it's only
a request.)
Backdoor #4: Ctrl-Alt-KP_Multiply.

 This keystroke kills any X11 app that holds a lock, so typing this will
kill xscreensaver and unlock the screen. This "feature" showed up in the X
server in 2008, and as of 2011, some vendors are shipping it turned on by
default. How nice. You can disable it by turning off AllowClosedownGrabs in
xorg.conf.


No keypad to test...

You might be interested in [1] and [2].

[1] 
https://github.com/Qubes-Community/Contents/blob/master/docs/customization/screenlockers.md
[2] https://github.com/QubesOS/qubes-issues/issues/1917

--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/a68eb77e-7d4d-806f-ff15-2e61b51603a5%40hackingthe.net.


smime.p7s
Description: S/MIME Cryptographic Signature

[qubes-users] screenlock keycombinations

2020-10-27 Thread evado...@gmail.com 
Qubes by default protected from this key combinations?


Backdoor #1: Ctrl-Alt-Backspace.

This keystroke kills the X server, and on some systems, leaves you at a 
text console. If the user launched X11 manually, that text console will 
still be logged in. To disable this keystroke globally and permanently, you 
need to set the DontZap flag in your xorg.conf or XF86Config or 
XF86Config-4 file (whichever name is in use on your system). See the manual 
for XF86Config (or variant) for more details.

Backdoor #3: Alt-SysRq-F.

This is the Linux kernel "OOM-killer" keystroke. It shoots down random 
long-running programs of its choosing, and so might might target and kill 
xscreensaver, and there's no way for xscreensaver to protect itself from 
that. You can disable it globally with: sudo 'echo 176 > 
/proc/sys/kernel/sysrq'

(As of version 5.41, if xscreensaver is setuid, and you are running 
Linux 2.6.37 or newer, xscreensaver attempts to request that the kernel's 
out-of-memory assassin not randomly unlock the screen on you, but it's only 
a request.) 
Backdoor #4: Ctrl-Alt-KP_Multiply.

This keystroke kills any X11 app that holds a lock, so typing this will 
kill xscreensaver and unlock the screen. This "feature" showed up in the X 
server in 2008, and as of 2011, some vendors are shipping it turned on by 
default. How nice. You can disable it by turning off AllowClosedownGrabs in 
xorg.conf. 

There's little that I can do to make the screen locker secure so long as 
the kernel and X11 developers are actively working against security. The 
strength of the lock on your front door doesn't matter much so long as 
someone else in the house insists on leaving a key under the welcome mat.

In an ideal world, there would be a single X11 request named something like 
XGrabMagicKeys() that would, analagously to XGrabKeyboard(), disable all of 
these magic keystrokes until the grab was released or the program exited. 
It should be an X11 call, not an ioctl(), and especially not a root-only 
ioctl(). Needless to say, no such interface exists. 

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/42ca3ac0-4b3b-4216-82a8-1afbe7c8c6cbn%40googlegroups.com.