Re: Any ways to software lock a Linux PC?
From: Ognen Duzlevski (maketo_at_mx.freeshell.org)
Date: Fri, 7 Nov 2003 04:13:21 +0000 (UTC)
In comp.os.linux.development.apps Norm Dresner <email@example.com> wrote:
> Before I reinvent the wheel, I'll describe the problem we have:
> In a secure environment where unattended processing is allowed, there must
> be a way to lock a "terminal" or PC to prevent anyone but the holder of the
> password (or an authorized administrator) to bypass the lock and gain access
> to the process(es) running on the "terminal" or PC. [Power cycling doesn't
> count because that doesn't grant access to the process(es), just to the
> normal login mechanisms].
For all logged in sessions see vlock and xlock.
> Just about every serial terminal attached to a mainframe had such a locking
> mechanism, usually a program running in the foreground which demanded a
> password to release its exclusive hold on the terminal. PCs running most
> flavors of windows are similarly lockable, but Linux presents a huge
> security hole in its (at least in the default installation) 6 text terminals
> plus an X-window session. Unless all (7) of these are locked, the machine
> is insecure and anyone who can log into the unlocked sessions can defeat the
> locking by simple means.
If noone has logged into the terminal screen or X session than they will be faced with a login/password prompt and this would be pretty much equivalent to a
"locked" computer, perhaps the only difference being (if I understand you correctly) that anyone else has a shot at logging in as opposed to a "locked terminal"
where the user who locked the terminal (and root) are the only ones that can unlock it and thus gain access to the processes. However, if someone else logged into
the computer, unless they were root, they are unlikely to have access to your unattended processes anyways. Gaining (unauthorized) access as somebody is better
than no access at all (in the eyes of the intruder) but still does not mean they will be able to do anything bad or escalate their priviledges in any way.
> What we need is a mechanism that operates, probably at the kernel level, to
> secure the entire computer with a single locking mechanism. I can probably
> write such a kernel module but finding one already written and debugged
> would be more convincing to our security department.
What you are doing is defining a problem in terms of its solution and that usually doesn't work ;)
For a moment I thought this posting was a troll...