Evaluate KDE screenlocker security, consider using XScreenSaver instead of KDE

[marmarek]

Reported by joanna on 18 Aug 2014 08:47 UTC
https://groups.google.com/forum/#!topic/qubes-devel/G_wVSL9WtEk

Migrated-From: https://wiki.qubes-os.org/ticket/888

[marmarek]

Comment by axon on 18 Aug 2014 09:56 UTC
Here's how to switch to XScreenSaver in the version of KDE '''currently used''' in dom0:

(The instructions below are the same as these but clarified for dom0's current version of KDE.)

'''1. Turn off KDE's screen saver.'''

  Go to `System Tools` --> `System Settings` --> `Display and Monitor` --> `Screen Locker`.

  Uncheck "Start automatically after."

'''2. Make XScreenSaver be an Autostart program.'''

  Create a `.desktop` file in your autostart directory (`~/.kde/Autostart/`) called `xscreensaver.desktop` that contains the following five lines:

[Entry](Desktop)
Exec=xscreensaver
Name=XScreenSaver
Type=Application
X-KDE-StartupNotify=false

'''3. Make the various "lock session" buttons call xscreensaver.'''

  Replace the contents of `/usr/libexec/kde4/kscreenlocker_greet` with the following two lines:

#!/bin/sh
xscreensaver-command -lock

  Make sure the file is executable (`chmod a+x`).

User preferences may then be set by going to System Tools --> Screensaver. No screensaver display mode animations (AKA "hacks") are included by default. The user could probably install some via yum, but this should be weighed against the security implications of downloading and installing additional packages in dom0.

Known issue: Using a KDE "Active Screen Edge Action" to try to lock the screen can cause a crash. (This setting is controlled by the user in System Tools --> System Settings --> Workspace Behavior --> Screen Edges.) The screen should instead be locked with a key combination (default: CTRL+ALT+L) or by simply waiting for the user-definable timeout interval.

[marmarek]

Comment by axon on 18 Aug 2014 09:56 UTC
Here's how to switch to XScreenSaver in the version of KDE '''currently used''' in dom0:

(The instructions below are the same as these but clarified for dom0's current version of KDE.)

'''1. Turn off KDE's screen saver.'''

  Go to `System Tools` --> `System Settings` --> `Display and Monitor` --> `Screen Locker`.

  Uncheck "Start automatically after."

'''2. Make XScreenSaver be an Autostart program.'''

  Create a `.desktop` file in your autostart directory (`~/.kde/Autostart/`) called `xscreensaver.desktop` that contains the following five lines:

[Entry](Desktop)
Exec=xscreensaver
Name=XScreenSaver
Type=Application
X-KDE-StartupNotify=false

'''3. Make the various "lock session" buttons call xscreensaver.'''

  Replace the contents of `/usr/libexec/kde4/kscreenlocker_greet` with the following two lines:

#!/bin/sh
xscreensaver-command -lock

  Make sure the file is executable (`chmod a+x`).

User preferences may then be set by going to System Tools --> Screensaver. No screensaver display mode animations (AKA "hacks") are included by default. The user could probably install some via yum, but this should be weighed against the security implications of downloading and installing additional packages in dom0.

Known issue: Using a KDE "Active Screen Edge Action" to try to lock the screen can cause a crash. (This setting is controlled by the user in System Tools --> System Settings --> Workspace Behavior --> Screen Edges.) The screen should instead be locked with a key combination (default: CTRL+ALT+L) or by simply waiting for the user-definable timeout interval.

[marmarek]

Comment by axon on 21 Aug 2014 20:21 UTC
And, of course, the most security-critical known issue: When using multiple monitors (on some systems), the entire screen is visible while the screen is "locked." (Further testing seems to show that this particular problem is actually worse with XScreenSaver than with the default KDE screen locker. With the default KDE screen locker, I've only ever witnessed garbled parts of the screen visible while locked.)

[marmarek]

Comment by axon on 21 Aug 2014 20:21 UTC
And, of course, the most security-critical known issue: When using multiple monitors (on some systems), the entire screen is visible while the screen is "locked." (Further testing seems to show that this particular problem is actually worse with XScreenSaver than with the default KDE screen locker. With the default KDE screen locker, I've only ever witnessed garbled parts of the screen visible while locked.)

[marmarek]

Comment by marmarek on 4 Sep 2014 20:41 UTC
Also a good idea to disable "new session"/"switch user" feature, which doesn't make any sense on Qubes.
XScreenSaver FAQ:

If gdmflexiserver is installed on your system, there should be a "New Login" button on xscreensaver's unlock dialog. If that doesn't appear or doesn't work right, check the setting of the "newLoginCommand" preference in the XScreenSaver.ad app-defaults file.

XScreenSaver Man:

newLoginCommand (class !NewLoginCommand)
If set, this is the shell command that is run when the "New Login" button is pressed on the unlock dialog box, in order to create a new desktop session without logging out the user who has locked the screen. Typically this will be some variant of gdmflexiserver (1) or kdmctl (1).

[marmarek]

Comment by marmarek on 4 Sep 2014 20:41 UTC
Also a good idea to disable "new session"/"switch user" feature, which doesn't make any sense on Qubes.
XScreenSaver FAQ:

If gdmflexiserver is installed on your system, there should be a "New Login" button on xscreensaver's unlock dialog. If that doesn't appear or doesn't work right, check the setting of the "newLoginCommand" preference in the XScreenSaver.ad app-defaults file.

XScreenSaver Man:

newLoginCommand (class !NewLoginCommand)
If set, this is the shell command that is run when the "New Login" button is pressed on the unlock dialog box, in order to create a new desktop session without logging out the user who has locked the screen. Typically this will be some variant of gdmflexiserver (1) or kdmctl (1).

[marmarek]

Comment by axon on 7 Sep 2014 04:28 UTC
Replying to axon:

Here's how to switch to XScreenSaver in the version of KDE '''currently used''' in dom0:

(The instructions below are the same as these but clarified for dom0's current version of KDE.)

'''1. Turn off KDE's screen saver.'''

  Go to `System Tools` --> `System Settings` --> `Display and Monitor` --> `Screen Locker`.

  Uncheck "Start automatically after."

'''2. Make XScreenSaver be an Autostart program.'''

  Create a `.desktop` file in your autostart directory (`~/.kde/Autostart/`) called `xscreensaver.desktop` that contains the following five lines:

[Entry](Desktop)
Exec=xscreensaver
Name=XScreenSaver
Type=Application
X-KDE-StartupNotify=false

'''3. Make the various "lock session" buttons call xscreensaver.'''

  Replace the contents of `/usr/libexec/kde4/kscreenlocker_greet` with the following two lines:

#!/bin/sh
xscreensaver-command -lock

  Make sure the file is executable (`chmod a+x`).

User preferences may then be set by going to System Tools --> Screensaver. No screensaver display mode animations (AKA "hacks") are included by default. The user could probably install some via yum, but this should be weighed against the security implications of downloading and installing additional packages in dom0.

Known issue: Using a KDE "Active Screen Edge Action" to try to lock the screen can cause a crash. (This setting is controlled by the user in System Tools --> System Settings --> Workspace Behavior --> Screen Edges.) The screen should instead be locked with a key combination (default: CTRL+ALT+L) or by simply waiting for the user-definable timeout interval.

Unfortunately, the above changes appear to have been at least partially reverted by a recent dom0 update.

[marmarek]

Comment by axon on 7 Sep 2014 04:28 UTC
Replying to axon:

Here's how to switch to XScreenSaver in the version of KDE '''currently used''' in dom0:

(The instructions below are the same as these but clarified for dom0's current version of KDE.)

'''1. Turn off KDE's screen saver.'''

  Go to `System Tools` --> `System Settings` --> `Display and Monitor` --> `Screen Locker`.

  Uncheck "Start automatically after."

'''2. Make XScreenSaver be an Autostart program.'''

  Create a `.desktop` file in your autostart directory (`~/.kde/Autostart/`) called `xscreensaver.desktop` that contains the following five lines:

[Entry](Desktop)
Exec=xscreensaver
Name=XScreenSaver
Type=Application
X-KDE-StartupNotify=false

'''3. Make the various "lock session" buttons call xscreensaver.'''

  Replace the contents of `/usr/libexec/kde4/kscreenlocker_greet` with the following two lines:

#!/bin/sh
xscreensaver-command -lock

  Make sure the file is executable (`chmod a+x`).

User preferences may then be set by going to System Tools --> Screensaver. No screensaver display mode animations (AKA "hacks") are included by default. The user could probably install some via yum, but this should be weighed against the security implications of downloading and installing additional packages in dom0.

Known issue: Using a KDE "Active Screen Edge Action" to try to lock the screen can cause a crash. (This setting is controlled by the user in System Tools --> System Settings --> Workspace Behavior --> Screen Edges.) The screen should instead be locked with a key combination (default: CTRL+ALT+L) or by simply waiting for the user-definable timeout interval.

Unfortunately, the above changes appear to have been at least partially reverted by a recent dom0 update.

[marmarek]

Comment by marmarek on 7 Sep 2014 07:36 UTC
Replying to axon:

Replying to axon:

Here's how to switch to XScreenSaver in the version of KDE '''currently used''' in dom0:

(The instructions below are the same as these but clarified for dom0's current version of KDE.)

'''1. Turn off KDE's screen saver.'''

  Go to `System Tools` --> `System Settings` --> `Display and Monitor` --> `Screen Locker`.

  Uncheck "Start automatically after."

'''2. Make XScreenSaver be an Autostart program.'''

  Create a `.desktop` file in your autostart directory (`~/.kde/Autostart/`) called `xscreensaver.desktop` that contains the following five lines:

[Entry](Desktop)
Exec=xscreensaver
Name=XScreenSaver
Type=Application
X-KDE-StartupNotify=false

'''3. Make the various "lock session" buttons call xscreensaver.'''

  Replace the contents of `/usr/libexec/kde4/kscreenlocker_greet` with the following two lines:

#!/bin/sh
xscreensaver-command -lock

  Make sure the file is executable (`chmod a+x`).

User preferences may then be set by going to System Tools --> Screensaver. No screensaver display mode animations (AKA "hacks") are included by default. The user could probably install some via yum, but this should be weighed against the security implications of downloading and installing additional packages in dom0.

Unfortunately, the above changes appear to have been at least partially reverted by a recent dom0 update.

What do you mean? I guess some KDE update restored content of kscreenlocker_greet, right?

[marmarek]

Comment by marmarek on 7 Sep 2014 07:36 UTC
Replying to axon:

Replying to axon:

Here's how to switch to XScreenSaver in the version of KDE '''currently used''' in dom0:

(The instructions below are the same as these but clarified for dom0's current version of KDE.)

'''1. Turn off KDE's screen saver.'''

  Go to `System Tools` --> `System Settings` --> `Display and Monitor` --> `Screen Locker`.

  Uncheck "Start automatically after."

'''2. Make XScreenSaver be an Autostart program.'''

  Create a `.desktop` file in your autostart directory (`~/.kde/Autostart/`) called `xscreensaver.desktop` that contains the following five lines:

[Entry](Desktop)
Exec=xscreensaver
Name=XScreenSaver
Type=Application
X-KDE-StartupNotify=false

'''3. Make the various "lock session" buttons call xscreensaver.'''

  Replace the contents of `/usr/libexec/kde4/kscreenlocker_greet` with the following two lines:

#!/bin/sh
xscreensaver-command -lock

  Make sure the file is executable (`chmod a+x`).

User preferences may then be set by going to System Tools --> Screensaver. No screensaver display mode animations (AKA "hacks") are included by default. The user could probably install some via yum, but this should be weighed against the security implications of downloading and installing additional packages in dom0.

Unfortunately, the above changes appear to have been at least partially reverted by a recent dom0 update.

What do you mean? I guess some KDE update restored content of kscreenlocker_greet, right?

[marmarek]

Comment by axon on 7 Sep 2014 08:46 UTC
Replying to marmarek:

Replying to axon:

Replying to axon:

Here's how to switch to XScreenSaver in the version of KDE '''currently used''' in dom0:

(The instructions below are the same as these but clarified for dom0's current version of KDE.)

'''1. Turn off KDE's screen saver.'''

  Go to `System Tools` --> `System Settings` --> `Display and Monitor` --> `Screen Locker`.

  Uncheck "Start automatically after."

'''2. Make XScreenSaver be an Autostart program.'''

  Create a `.desktop` file in your autostart directory (`~/.kde/Autostart/`) called `xscreensaver.desktop` that contains the following five lines:

[Entry](Desktop)
Exec=xscreensaver
Name=XScreenSaver
Type=Application
X-KDE-StartupNotify=false

'''3. Make the various "lock session" buttons call xscreensaver.'''

  Replace the contents of `/usr/libexec/kde4/kscreenlocker_greet` with the following two lines:

#!/bin/sh
xscreensaver-command -lock

  Make sure the file is executable (`chmod a+x`).

User preferences may then be set by going to System Tools --> Screensaver. No screensaver display mode animations (AKA "hacks") are included by default. The user could probably install some via yum, but this should be weighed against the security implications of downloading and installing additional packages in dom0.

Unfortunately, the above changes appear to have been at least partially reverted by a recent dom0 update.

What do you mean? I guess some KDE update restored content of kscreenlocker_greet, right?

Yes, it looks like that's what it was. Is there an easy way to prevent that?

[marmarek]

Comment by axon on 7 Sep 2014 08:46 UTC
Replying to marmarek:

Replying to axon:

Replying to axon:

Here's how to switch to XScreenSaver in the version of KDE '''currently used''' in dom0:

(The instructions below are the same as these but clarified for dom0's current version of KDE.)

'''1. Turn off KDE's screen saver.'''

  Go to `System Tools` --> `System Settings` --> `Display and Monitor` --> `Screen Locker`.

  Uncheck "Start automatically after."

'''2. Make XScreenSaver be an Autostart program.'''

  Create a `.desktop` file in your autostart directory (`~/.kde/Autostart/`) called `xscreensaver.desktop` that contains the following five lines:

[Entry](Desktop)
Exec=xscreensaver
Name=XScreenSaver
Type=Application
X-KDE-StartupNotify=false

'''3. Make the various "lock session" buttons call xscreensaver.'''

  Replace the contents of `/usr/libexec/kde4/kscreenlocker_greet` with the following two lines:

#!/bin/sh
xscreensaver-command -lock

  Make sure the file is executable (`chmod a+x`).

User preferences may then be set by going to System Tools --> Screensaver. No screensaver display mode animations (AKA "hacks") are included by default. The user could probably install some via yum, but this should be weighed against the security implications of downloading and installing additional packages in dom0.

Unfortunately, the above changes appear to have been at least partially reverted by a recent dom0 update.

What do you mean? I guess some KDE update restored content of kscreenlocker_greet, right?

Yes, it looks like that's what it was. Is there an easy way to prevent that?

[marmarek]

Comment by marmarek on 7 Sep 2014 08:54 UTC
Replying to axon:

Replying to marmarek:

What do you mean? I guess some KDE update restored content of kscreenlocker_greet, right?

Yes, it looks like that's what it was. Is there an easy way to prevent that?

Yes, using trigger from some other package. But this is rather ugly hack than proper solution...

[marmarek]

Comment by marmarek on 7 Sep 2014 08:54 UTC
Replying to axon:

Replying to marmarek:

What do you mean? I guess some KDE update restored content of kscreenlocker_greet, right?

Yes, it looks like that's what it was. Is there an easy way to prevent that?

Yes, using trigger from some other package. But this is rather ugly hack than proper solution...

[marmarek]

Comment by marmarek on 11 Sep 2014 00:21 UTC
Given that xscreensaver isn't bug-free either, we decided to not switch to it on KDE and stay with the current state: KDE uses kscreenlocker, Xfce uses xscreensaver.
BTW The multimonitor problem you've described have never happened to me. But "not locking at all" problem have happened...
There are also alternatives like xautolock+vlock/physlock, but for now let the user make the choice about possible screenlocker switch.

However, "switch user" functionality is (finally) disabled:
http://git.qubes-os.org/?p=marmarek/desktop-linux-kde.git;a=commit;h=0dcc4651b1f07ffc2058d353a288d73cc173083a
http://git.qubes-os.org/?p=marmarek/desktop-linux-xfce4.git;a=commit;h=f7dbe212bf2fe260fb6349e1bea91d552efb8f5c

[marmarek]

Comment by marmarek on 11 Sep 2014 00:21 UTC
Given that xscreensaver isn't bug-free either, we decided to not switch to it on KDE and stay with the current state: KDE uses kscreenlocker, Xfce uses xscreensaver.
BTW The multimonitor problem you've described have never happened to me. But "not locking at all" problem have happened...
There are also alternatives like xautolock+vlock/physlock, but for now let the user make the choice about possible screenlocker switch.

However, "switch user" functionality is (finally) disabled:
http://git.qubes-os.org/?p=marmarek/desktop-linux-kde.git;a=commit;h=0dcc4651b1f07ffc2058d353a288d73cc173083a
http://git.qubes-os.org/?p=marmarek/desktop-linux-xfce4.git;a=commit;h=f7dbe212bf2fe260fb6349e1bea91d552efb8f5c