Back to Article Listing

Securing an X Desktop with GNU Screen


GNU Screen has many uses. An introduction and beginner's tutorial is here

One less obvious use of screen is to help secure a workstation running X; for when you have to walk away, leave for the night, leave for the weekend, etc. No one can walk into your office, sit down at your workstation, and potentially use your priviledges on network resources. This is similar to the windows "<ctrl><alt><del> :lock workstation". IIRC, Mac also has something built in.

Display Managers offer some advantages but I do not use them because...

  • Display mgrs require you to automatically run X.. there are many times I just don't want to
  • Display mgrs require you to launch X as root
  • Display mgrs control your machine.. it is very difficult to close X and use the command line
  • Display mgrs generally do not recover from any X mishaps more gracefully than a re-boot

First, secure the terminal

Launch X from a screen session and detach from it.

  1. Logon to the system normally; as a user (not root)
  2. Type 'screen', and you are given a new prompt
  3. At this new prompt, launch X (type 'startx') and which ever WM/DE is set in the ~/.xinitrc loads (cwm, fluxbox, KDE, GNOME, ...etc).
  4. Hold keys <CTRL><ALT><F1> to take you back to the screen prompt. Notice X running.
  5. Hold keys <CTRL><a><d> to detach ('man screen' for more) and you are back at the -original- prompt.
  6. From here, logout normally (type 'logout') and you are back at the OS prompt.
  7. <CTRL><ALT><F$> (where $ is the terminal running X) takes you back to the WM/DE

You only have to do this once for each re-boot, which is not often. If you close X and want to restart it, just re-attach to the screen session and re-lauch X.

Second, secure the window environment

install one of the X screensaver/lock programs, like xlockmore.

Now, you can hit a custom hot key combination to lock your X session; and walk away from your computer knowing it is relatively secure. Without your password, noone can use your credentials. If it is a shared workstation and someone need the box, they can log in themselves.

Copyright © 20031015 genoverly
(db datestamp: 20070821)

Copyright © 2003-2015 genoverly