Lock Screen as root
Roberto Ragusa
mail at robertoragusa.it
Sat May 27 21:35:12 UTC 2006
Erik Hemdal wrote:
>> Erik Hemdal wrote:
>>
>>> On the gnome-list, a posting noted that one can bypass the
>> screensaver
>>> anyway with CTRL-ALT-F1, so logging in as root is dangerous. But I
>>> tried this, and while I can bypass the screensaver, I still
>> must log in
>>> to my virtual terminals. So no loss of security.
>> If root did a graphical login, you're right.
>>
>> But if root has started the X session with "startx" in one of
>> the virtual
>> terminal, you can go to that virtual terminal, do a Ctrl-C (killing X)
>> and get a root shell.
>
> I tried your idea and you're right, of course. Launching X via startx is
> insecure because it does nothing to secure root's original login shell. But
> preventing root from locking the screen doesn't make this "startx" case more
> secure.
I just replied to "I still must log in", saying that in some cases you don't
have to.
The fact that all users can lock their X session, but root can't, it's
completely unreasonable from a security point of view.
So, I agree with you.
It can be argued that the locked screen is not a good security measure and
can be worked around doing this or doing that, but in any case the problem is
that root is *missing a defense* for some unexplained reason.
Best regards.
--
Roberto Ragusa mail at robertoragusa.it
More information about the fedora-list
mailing list