Author Topic: Lock Screen insecure  (Read 6610 times)

Offline pin

  • Veteran
  • ****
  • Posts: 1838
  • Karma: 280
    • View Profile
Re: Lock Screen insecure
« Reply #30 on: September 11, 2017, 03:13:32 pm »
@murraymint
I never, ever leave my work open. Never felt confy with suspend anyway.
Just out of curiosity, and since I haven’t been able reproduce what you guys have been discussing. If you press Ctrl+Alt+F1 are you then inside tty1? This would be rather scary [emoji451]

Skickat från min SM-G900F via Tapatalk


Offline murraymint

  • Trusted User
  • Veteran
  • *****
  • Posts: 2180
  • Karma: 457
  • soft boiled with a yolk of gold
    • View Profile
  • Peppermint version(s): 7, 8, 9
Re: Lock Screen insecure
« Reply #31 on: September 11, 2017, 05:00:46 pm »
If you press Ctrl+Alt+F1 are you then inside tty1? This would be rather scary [emoji451]
Good point, pin. You do indeed get to the tty1 shell by doing that. Aargh!

Offline pin

  • Veteran
  • ****
  • Posts: 1838
  • Karma: 280
    • View Profile
Re: Lock Screen insecure
« Reply #32 on: September 12, 2017, 02:14:48 am »
@murraymint
I've tried this myself now and I can get into all available tty's. But, as mentioned already mine are locked and password protected.
Once you are in the shell can you actually do anything? Would it be possible to access any files, create files, delete files and so on or do you need a password to actually use the shell?

Offline murraymint

  • Trusted User
  • Veteran
  • *****
  • Posts: 2180
  • Karma: 457
  • soft boiled with a yolk of gold
    • View Profile
  • Peppermint version(s): 7, 8, 9
Re: Lock Screen insecure
« Reply #33 on: September 12, 2017, 05:17:43 am »
Yeah you need a login and pass so it's not really that scary. Just seems an unintended feature that the screen lock fails briefly. Your i5s and i7s are probably too fast to give you much time to press anything.

Offline pin

  • Veteran
  • ****
  • Posts: 1838
  • Karma: 280
    • View Profile
Re: Lock Screen insecure
« Reply #34 on: September 12, 2017, 05:40:04 am »
Cheers  :D
Thanks for testing.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Lock Screen insecure
« Reply #35 on: September 12, 2017, 09:05:10 am »
Oddly I'm now having problems getting my PC to NOT enter the lockscreen BEFORE suspending so I'm having problems testing this .. but give it a try and see if it helps.

First remove the last fix attempt:
Code: [Select]
sudo rm -v /etc/pm/sleep.d/00screenlock-lockNow run:
Code: [Select]
sudo pluma /etc/systemd/system/i3lock-on-suspend.serviceand when a blank file opens make it read:
Code: [Select]
[Unit]
Description=i3lock-on-suspend
Before=sleep.target

[Service]
User=the_login_of_the_user_that_suspends
Type=forking
Environment=DISPLAY=:0
ExecStart=/usr/lib/i3lock-fancy/i3lock-fancy

[Install]
WantedBy=sleep.target
SAVE the file and exit the text editor, now activate the service with:
Code: [Select]
sudo systemctl enable i3lock-on-suspend.serviceNow test.



To UNDO:-
Code: [Select]
sudo systemctl disable i3lock-on-suspend.servicethen
Code: [Select]
sudo rm -v /etc/systemd/system/i3lock-on-suspend.service
« Last Edit: September 12, 2017, 09:08:41 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline murraymint

  • Trusted User
  • Veteran
  • *****
  • Posts: 2180
  • Karma: 457
  • soft boiled with a yolk of gold
    • View Profile
  • Peppermint version(s): 7, 8, 9
Re: Lock Screen insecure
« Reply #36 on: September 12, 2017, 09:31:07 am »
Thanks, I'll test this in a bit when I get a chance.

Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Lock Screen insecure
« Reply #37 on: September 12, 2017, 09:51:13 am »
@murraymint
I've tried this myself now and I can get into all available tty's. But, as mentioned already mine are locked and password protected.
Once you are in the shell can you actually do anything? Would it be possible to access any files, create files, delete files and so on or do you need a password to actually use the shell?

You cannot log onto the shell without an account and password (so it's no less secure than a GUI login).

Caveat:- Well you could use a kernel boot parameter to effectively set single-user mode and gain full root access in the console (assuming no encryption) .. but then like I said, if someone has local access to your PC and the drive is not encrypted it is NOT secure, simple as that .. nor (in most cases) would you want it to be, or how would you say fix a forgotten password or fix corruption, etc.

Think about it, if someone has local acess there would be nothing stopping them booting a LiveUSB and accessing your files)
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline pin

  • Veteran
  • ****
  • Posts: 1838
  • Karma: 280
    • View Profile
Re: Lock Screen insecure
« Reply #38 on: September 12, 2017, 11:00:10 am »
Yeap, I know...live-usb's are very useful [emoji38]
I've done it myself to recover files from my system and/or resize partitions.

Offline murraymint

  • Trusted User
  • Veteran
  • *****
  • Posts: 2180
  • Karma: 457
  • soft boiled with a yolk of gold
    • View Profile
  • Peppermint version(s): 7, 8, 9
Re: Lock Screen insecure
« Reply #39 on: September 12, 2017, 04:08:51 pm »
OK that change didn't make it lock before suspending either.

I agree it's not much of a security issue, just a slight annoyance if anyone ever notices it.

Offline pin

  • Veteran
  • ****
  • Posts: 1838
  • Karma: 280
    • View Profile
Re: Lock Screen insecure
« Reply #40 on: September 12, 2017, 09:08:31 pm »
Sometimes you have to love Arch for the documentation...

https://wiki.archlinux.org/index.php/Disk_encryption


Skickat från min SM-G900F via Tapatalk


Offline PCNetSpec

  • Administrator
  • Hero
  • *****
  • Posts: 26452
  • Karma: 65531
  • "-rw-rw-rw-" .. The Number Of The Beast
    • View Profile
    • PCNetSpec
  • Peppermint version(s): Peppermint 10
Re: Lock Screen insecure
« Reply #41 on: September 13, 2017, 04:26:39 am »
Full disk encryption is fine if you have something sensitive that you need protecting if your PC is stolen .. but it's a PITA if you ever have any problems.

You have to weigh up the fact you could easily loose everything yourself (including all data, possibly the ability to boot, and the means to fix) against the security gained from someone with local access .. in most cases (but obviously not all) it just isn't worth the extra hassle.
« Last Edit: September 13, 2017, 04:30:03 am by PCNetSpec »
WARNING: You are logged into reality as 'root' .. logging in as 'insane' is the only safe option.

Team Peppermint
PCNetSpec

Offline murraymint

  • Trusted User
  • Veteran
  • *****
  • Posts: 2180
  • Karma: 457
  • soft boiled with a yolk of gold
    • View Profile
  • Peppermint version(s): 7, 8, 9
Re: Lock Screen insecure
« Reply #42 on: September 13, 2017, 05:02:58 am »
Yes, I've seen you trying to help a user with disk encryption before and it's not something I would want to bother with.

I think we're drifting off the topic started by the OP about the screenlock though.

Offline murraymint

  • Trusted User
  • Veteran
  • *****
  • Posts: 2180
  • Karma: 457
  • soft boiled with a yolk of gold
    • View Profile
  • Peppermint version(s): 7, 8, 9
Re: Lock Screen insecure
« Reply #43 on: November 04, 2017, 07:55:46 am »
If you click the Menu button before the lock screen kicks in, the screenlock is also bypassed completely.

Offline scifidude79

  • Hero
  • *****
  • Posts: 4029
  • Karma: 870
    • View Profile
  • Peppermint version(s): Peppermint 9
Re: Lock Screen insecure
« Reply #44 on: November 04, 2017, 08:03:50 am »
If you click the Menu button before the lock screen kicks in, the screenlock is also bypassed completely.

Yep, it sure is.  Very bizarre.