Search:  
Gentoo Wiki

TIP_Fix_The_Login_Security_Hole

This article is part of the Tips & Tricks series.
Terminals / Shells Network X Window System Portage System Filesystems Kernel Other

Contents

What is it?

The login security hole is, basically caused by X. If you don't use X at all then you don't need to look at this.

It comes in two forms:

Form 1: Using an XDM Login Manager

Many people use XDM/GDM/KDM/etc... There's a problem. The X server is running as root. Not good. Users have full access to the X Server and the X server, potentially, has full access to the rest of the computer.

Form 2: Logging Into the Console and Using 'startx'

A lot of people use this method to avoid the potentially deadly risk posed by running X as root. Problem is that most people don't disable the kill X-server(CTRL+ALT+BKSPC) or switch virtual terminal(CTRL+ALT+Fx where x is a number between 1 and 6) hotkeys in xorg.conf, so they leave the computer expecting xlock to keep it safe and someone walks up and just kills your X session and now has a console up that's already logged in as you.

The Fix(es)

There are two or three ways to fix this problem. Two involve still manually starting X while the other gives you a nice graphical login and even allows you to lock the console. We'll cover that one first.

Fix 1:Use Qingy

Yay! I get to tout one of my favorite applications ever made!

What is Qingy

Qingy(Note that there is no 'u') is a framebuffer (a)getty replacement. It allows for either graphical or text-mode login screens and allows you to select to log into an X session of your choice or a Console session of your choice. It is readily skinable and, most importantly, allows you to log directly into X so that the X server is run by your user and when it dies so does your session. Hah! Both problems solved.

How Do I Get It?

Just merge it. But be sure to get at least version 0.7.1. Version 0.6.0 is dumb.

Code: Getting Qingy
 #emerge qingy qingy-themes

Switching to Qingy

Right now, your computer is probably set up to use (a)getty for console-based logins but boots into an XDM login, so first, lets kick xdm out of our boot sequence. If you don't use an X-based login manager(GDM,KDM,Entrance,etc...) then just skip this little bit.

Code: Removing XDM From Boot
 #rc-update del xdm

Now we have to setup Qingy in /etc/inittab. Most people have the following:

Code: /etc/inittab Terminals Section Set for agetty
 # TERMINALS
 c1:12345:respawn:/sbin/agetty 38400 tty1 linux
 c2:2345:respawn:/sbin/agetty 38400 tty2 linux
 c3:2345:respawn:/sbin/agetty 38400 tty3 linux
 c4:2345:respawn:/sbin/agetty 38400 tty4 linux
 c5:2345:respawn:/sbin/agetty 38400 tty5 linux
 c6:2345:respawn:/sbin/agetty 38400 tty6 linux

We just need to make it look something like this:

Code: /etc/inittab Terminals Section Set for Qingy
 # TERMINALS
 c1:12345:respawn:/sbin/qingy tty1
 c2:2345:respawn:/sbin/qingy tty2
 c3:2345:respawn:/sbin/qingy tty3
 c4:2345:respawn:/sbin/qingy tty4
 c5:2345:respawn:/sbin/qingy tty5
 c6:2345:respawn:/sbin/agetty 38400 tty6 linux

Note that terminal 6 in the above configuration is still set to use agetty. That's a 'just-in-case' thing. So that if Qingy for some reason ever decides not to work(i.e. You decided to fiddle around with it and borked your config), you've got a backup terminal.

Now, everything should be set. Just reboot your computer (or telinit q; killall agetty) and, voila!, you've got an ant... a really big ant that fills your screen. Yay! So now just dink around with /etc/qingy/settings and get it tweaked to your liking. For a list of themes just do: ls /usr/share/qingy/themes. You can also fiddle with /etc/qingy/welcomes to customize individual greetings.

Fix 2: Disabling certain key combinations in X

See warning below before implementing this solution. To start X "securely" from the console one could consider disabling certain keyboard shortcuts in X.

This requires editing /etc/X11/xorg.conf. Find the "ServerFlags" section. We need to add the following to this section:

Code: Killing Certain Keyboard Shortcuts
 Section "ServerFlags"
     ...
     Option "DontVTSwitch" "True"
     Option "DontZap" "True"
     ...
 EndSection

The first option kills the Ctrl+Alt+F(1-6) virtual terminal switch commands. So, say you started X from VT-1, someone can't just come along and Ctrl+Alt+F1 and then Ctrl+C to kill X.

The second option kills the Ctrl+Alt+Backspace command so someone can't just kill X even easier than the above method.

Now, just make sure you are set up to boot to a terminal login by running rc-update del xdm as root, and you should be set.

Warning: even with this additional configuration there's still the possibility of your X session crashing, either by chance (buggy video card drivers anyone?) or perhaps by someone with remote access logging in and deliberately crashing X.

Fix 3: startx and hangup/lock console

By this solution we run startx as a background process and logout of the calling console or lock it immediately.

Put the following line in your .zshrc (should also work with .bashrc; you probably won't need the disown there)

alias onlyx="nohup startx &; disown; exit"

then do onlyx instead of startx; it will start x and then log off. if you are used to typing startx and aware of the consequences, you can also replace onlyx with startx (use =startx in zsh or `which -p startx` in bash to call startx without that side effect, then)

Lastly, one can create a similar alias to simply lock the calling console rather than logging out, if the above alias causes problems for example. It requires a program for locking consoles:

 emerge -av vlock

Then add an alias to your .bashrc along the lines of:

 alias strtx="startx & vlock"

And remember to type strtx instead of startx.

Fix 4: Using 'screen'

This method does not require you to lock down X-server. You will log in normally through the console and start screen before running startx. Then come back to the console by using a hotkey and disconnect from your screen session and logging off of the console. This method provides the added ability of being able to see X's output from inside of X by reconnecting to your screen session from a vterm.

Code: Installing screen
 emerge -Da screen

When logging on to a console, simply start 'screen':

Code: Starting screen
 $ screen

Your terminal will be cleared as an effect of screen starting. Once screen is started, start X as usual:

Code: Starting X from within screen
 $ startx

now use the X hotkey to get back to the console that you started X from (Ctrl+Alt+F1 usually), and then disconnect from screen by hold Ctrl, and then hitting (not holding) the 'a' key, and then the 'd' key. Screen will then tell you that you have disconnected from it, and you can now logout.

Code: Logging out of the console
 $ logout

Use Alt+F7 to get back to your secured X session and to view it's output you can reattach your screen from a vterm:

Code: Reattaching to your screen session (That is running X)
 $ screen -r
Retrieved from "http://www.gentoo-wiki.info/TIP_Fix_The_Login_Security_Hole"

Last modified: Fri, 05 Sep 2008 10:29:00 +0000 Hits: 12,434