[Ubuntu-ZW] Screen locking with root account

Mon Nov 16 09:31:31 GMT 2009

Hi Guys,

Frankly i just got tired of having to type "sudo" all the time, or having to
su everytime i wanted to do something administrative in bash.
so i decided to setup my ubuntu machine to allow me to login as root from
the GUI.

Initially everything worked out fine, and i thought i was home and dry. i
know what im doing with linux, im fairly confident that i
dont need to "sudo" everything on my desktop. So by logging in as root...
this would make my life so much easier.

I decided i was going to take a break from my machine for while, and clicked
"lock screen". the screen dimmed as usual (as though it was locking).
i had then left the machine for a bit, got back, moved the mouse, and guess
what? the screen undimmed without asking for a password!!

okay, so maybe it was a one off thing. i tried locking the screen again, and
again, unlocked without asking for a password.

this is weird, and i did some research to figure out what was going on. i
then came across the issue at the main xscreensavers website,
xscreensavers has been renamed to gnome-screensaver and is the primary
application used to "lock" any open x sessions.

the following was quoted on their website as the explanation for this
behaviour:
*
"When I'm logged in as root, xscreensaver won't lock my screen!*

* Don't log in as root. *

* Please note that xscreensaver works fine as a screen saver when you are
logged in as root: it will not, however, lock your screen when you are
logged in as root. This is for good and insurmountable security reasons. *

* In order for it to be safe for xscreensaver to be launched by xdm, certain
precautions had to be taken, among them that xscreensaver never runs as
root. In particular, if it is launched as root (as xdm is likely to do),
xscreensaver will disavow its privileges, and switch itself to a safe user
id (such as "nobody".) *

* An implication of this is that if you log in as root on the console,
xscreensaver will refuse to lock the screen (because it can't tell the
difference between root being logged in on the console, and a normal user
being logged in on the console but xscreensaver having been launched by the
xdm "Xsetup" file.) *

* The solution to this is simple: you shouldn't be logging in on the console
as root in the first place! (What, are you crazy or something?) *

* Proper Unix hygiene dictates that you should log in as yourself, and su to
root as necessary. People who spend their day logged in as root are just
begging for disaster." *
Apparently this issue affects all linux distros. However, when i log into
kde as root (after editing /etc/kde4/kdm/kdmrc), i am able to lock the
screen correctly...no problem.

So this seems then to be a gnome related issue. after much research, the
only known work around is to install a program called xlock, with the
following command "apt-get install xlockmore"
you then type "xlock" in a terminal to lock the screen.

now, some things to be careful of:

GUI's are a known security issue for any linux machine...whether on the
internet or with physical access.
this is why root accounts are "banned" by default from logging into the
machine in the first place.

This screen locking work around i have found is used on my office desktop
machine... which has no important data stored on it.
further to add to this, i have taken other steps  to secure my machine from
outside access. The only reason i have brought out this topic is
to rid myself of excess sudo commands... though i do understand that sudo is
there for a good reason.

DO NOT ANY UNDER CIRCUMSTANCES DO THIS ON A SERVER.

After doing alot of research, i now understand why logging in as root into a
gui can be an issue... i therefore propose the following:

- never run a GUI on a linux server
- never ever think of logging into a GUI on a production server as root
(this should be easy enough, as the GUI shouldnt be there in the first
place!).

kalpesh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/ubuntu-zw/attachments/20091116/4d0402ee/attachment.htm 