screenlock keycombinations

[evado...@gmail.com]

Qubes by default protected from this key combinations?

Backdoor #1: Ctrl-Alt-Backspace.

    This keystroke kills the X server, and on some systems, leaves you at a text console. If the user launched X11 manually, that text console will still be logged in. To disable this keystroke globally and permanently, you need to set the DontZap flag in your xorg.conf or XF86Config or XF86Config-4 file (whichever name is in use on your system). See the manual for XF86Config (or variant) for more details.

Backdoor #3: Alt-SysRq-F.

    This is the Linux kernel "OOM-killer" keystroke. It shoots down random long-running programs of its choosing, and so might might target and kill xscreensaver, and there's no way for xscreensaver to protect itself from that. You can disable it globally with: sudo 'echo 176 > /proc/sys/kernel/sysrq'

    (As of version 5.41, if xscreensaver is setuid, and you are running Linux 2.6.37 or newer, xscreensaver attempts to request that the kernel's out-of-memory assassin not randomly unlock the screen on you, but it's only a request.)
Backdoor #4: Ctrl-Alt-KP_Multiply.

    This keystroke kills any X11 app that holds a lock, so typing this will kill xscreensaver and unlock the screen. This "feature" showed up in the X server in 2008, and as of 2011, some vendors are shipping it turned on by default. How nice. You can disable it by turning off AllowClosedownGrabs in xorg.conf.

There's little that I can do to make the screen locker secure so long as the kernel and X11 developers are actively working against security. The strength of the lock on your front door doesn't matter much so long as someone else in the house insists on leaving a key under the welcome mat.

In an ideal world, there would be a single X11 request named something like XGrabMagicKeys() that would, analagously to XGrabKeyboard(), disable all of these magic keystrokes until the grab was released or the program exited. It should be an X11 call, not an ioctl(), and especially not a root-only ioctl(). Needless to say, no such interface exists.

[David Hobach]

On 10/27/20 2:37 PM, evado...@gmail.com wrote:
> Qubes by default protected from this key combinations?
>
>
> Backdoor #1: Ctrl-Alt-Backspace.
>
> This keystroke kills the X server, and on some systems, leaves you at a
> text console. If the user launched X11 manually, that text console will
> still be logged in. To disable this keystroke globally and permanently, you
> need to set the DontZap flag in your xorg.conf or XF86Config or
> XF86Config-4 file (whichever name is in use on your system). See the manual
> for XF86Config (or variant) for more details.

Didn't work with physlock, but I don't have xscreenlock.
I wonder where #2 went. ;-)

> Backdoor #3: Alt-SysRq-F.
>
> This is the Linux kernel "OOM-killer" keystroke. It shoots down random
> long-running programs of its choosing, and so might might target and kill
> xscreensaver, and there's no way for xscreensaver to protect itself from
> that. You can disable it globally with: sudo 'echo 176 >
> /proc/sys/kernel/sysrq'

I got "This sysrq operation is disabled" for that one.

> (As of version 5.41, if xscreensaver is setuid, and you are running
> Linux 2.6.37 or newer, xscreensaver attempts to request that the kernel's
> out-of-memory assassin not randomly unlock the screen on you, but it's only
> a request.)
> Backdoor #4: Ctrl-Alt-KP_Multiply.
>
> This keystroke kills any X11 app that holds a lock, so typing this will
> kill xscreensaver and unlock the screen. This "feature" showed up in the X
> server in 2008, and as of 2011, some vendors are shipping it turned on by
> default. How nice. You can disable it by turning off AllowClosedownGrabs in
> xorg.conf.

No keypad to test...

You might be interested in [1] and [2].

[1] https://github.com/Qubes-Community/Contents/blob/master/docs/customization/screenlockers.md
[2] https://github.com/QubesOS/qubes-issues/issues/1917