Re: [hackers] [PATCH] [slock] Remove faulty example and add a section on security considerations

From: Klemens Nanni <kl3_AT_posteo.org>
Date: Wed, 28 Sep 2016 21:41:36 +0200

On Wed, Sep 28, 2016 at 09:09:24PM +0200, FRIGN wrote:
>I know this fork, and with the changes presented in this patch, slock
>is just as secure as his version.
>The difference is that he for instance implemented ways to upload
>webcam images to imgur, send SMS's and auto-shutdown when the user
>tries to switch VT's.
I removed media upload and SMS support since those features can easily
be added using a small wrapper script.

>I think these changes are not necessary. If somebody tries to change
>VT's, so be it! Especially because the shutdown sequence can open other
>attack surfaces, which he also took care of mostly, by disallowing the
>use of Sysrq in the shutdown sequence. In my opinion, with a strong
>password and setting the configs as in the manpage, slock is damn
>secure. It honestly took me a few days to analyze the "paranoid" slock
>fork to find out that what I did was sufficient.
Setting `DontVTSwitch' in xorg.conf(5) disables this feature completely
whereas chjj's fork (which mine is based on) blocks it in slock only,
which is imho a much saner approach since there are many legitimate
reasons to use multiple virtual terminals.

Same story for `DontZap': I like quickly killing X with Ctrl+Alt+BS
while this should obviously be forbidden on a locked screen.

Best regards,
kl3

Received on Wed Sep 28 2016 - 21:41:36 CEST

This archive was generated by hypermail 2.3.0 : Wed Sep 28 2016 - 21:48:26 CEST