Re: [i3] Feature request: disable switching to virtual terminal with i3lock
- From: Axel Wagner <mail@xxxxxxxxxxx>
- To: Izzy <me@xxxxxxxxx>, i3-discuss@xxxxxxxxxxxxx
- Date: Wed, 08 Jan 2014 09:43:16 +0100
Hi,
Izzy <me@xxxxxxxxx> writes:
There's just one thing that kind of bothers me, though: with slimlock
it's possible to use an option (called 'tty_lock') which disables
switching to another virtual terminal while the screen is locked (using
VT_LOCKSWITCH).
I think this is a nice "security feature", if you wish. So, I was
wondering: first if this would be desirable in i3lock, and in that case
if it could be possible to add a similar option. It doesn't seem to be
_that_ difficult to implement, but unfortunately I don't know C, so
submitting a patch is out of the question.
Yuck. I'm no expert, but this seems only possible, if you run as
root. And indeed, slimlock is installed setuid root. I don't think, it
is very wise, to have an X-application run as setuid root, let alone
i3lock, I'm not sure, the code is ripe for that as that's not the
security model it was written under.
I also wouldn't use slimlock in the future, btw. I wouldn't trust any
application with code like [1] for security-sensitive purposes (let
alone having it setuid root). Indeed, AFAICT slimlock is not even
dropping it's priviledges at any point.
So, IMHO you grossly underestimate the complexity of doing this
right. You would probably need a seperate setuid-helper-binary for that
and you would have to worry about what the security-implications of this
feature are (for example: What if I log in, lock all terminals and
lock out again? No one would be able to use them. Is that acceptable?).
I think you better look for some application that does this standalone
and add it to your i3lock-invocation.
Best,
Axel
[1]
https://github.com/dannyn/slimlock/blob/master/slimlock.cpp#L86
Other related posts: