Fernando de Oliveira
famobr at yahoo.com.br
Mon Feb 13 07:24:05 PST 2012
Bruce, thank you very much for the replies.
Em 12-02-2012 19:17, Bruce Dubbs escreveu:
> Fernando de Oliveira wrote:
>> I used to do that for months (or even years?) until one day I read
>> about security issues if not using a dm,
> That seems pretty lame. You only need to do Ctrl-Alt-F2 to get to a
> login prompt unless there has been changes to the default inittab.
I think I found one of the pages I saw long ago about this:
> Warning: Note that there is a significant security difference when using plain startx instead of a login manager. Thus you run startx from your shell you are always able to switch from X (usually on tt7) back to tty1 (Ctrl+Alt+F1) and gain control over the user shell even when the screen is locked (e.g. via XScreenSaver, i3lock, alock-svn or lualock-git). A solution: replace exec startx with exec nohup startx > .xlog & vlock. This will start X, redirect the print out to ~/.xlog and lock the shell. Of course you need to install vlock first.<
And it is related to your comment above, but to my understanging, in the opposite sense. Funny thing, I tried it in the VM running LFS "svn 7.0" (X, but no dm, no vm-tools), LFS 6.8 (my default machine, where I am writing this post, LXDE/LXDM, open-vm-tools) , and got the new login prompt, but, to my surprise, in the *host*!!! So, agreement with Bruce.
> and installed slim. I have
>> spent about an hour now, trying to find it if it was on Arch or
>> Gentoo, without success. As I do not have much security knowledge, I
>> believed it.
> I'd like to see that rationale. Most dm instances are a bigger problem
> because they usually enable XDMCP by default.
Part already answered above. I do not know what "XDMCP" is, but searching for the page referred to above, I saw references to this. Later, I will read about this.
At the moment, what is more important to me is: what would be a reasonably secure way to start X? At the moment, I am using "startx" from ".bash_profile"at LFS "svn 7.0" and LXDM on the other LFS's.
The wiki.archlinux.org page has another warning, about "/etc/inittab":
> Warning: This method will not use /bin/login or register your session, therefore no session will appear in who or w. Your session will also not be authorized as 'local' by ConsoleKit, so you will be unable to shutdown/suspend/reboot or mount drives without using sudo or su.<
>> Also, I notice that most linux distros use one.
> Most distros pander to the computer illiterate.
> -- Bruce
LOL. I had to look for the definition of "pander". I do not know how computer (il)literate to classify myself.
Thanks very much for the attention, again. Much appreciated.
More information about the blfs-support