Screen lock settings: How to restrict changes?

ElvisImprsntr · 09-24-2007, 10:39 AM

BACKGROUND

I am running xscreensaver and have configured the settings to lock the screen automatically after 15 minutes. I have searched through the Linux - Security forum here and came across similar questions on other forums http://nixcraft.com/getting-started-...rotection.html

Under Windows, in the Group Policy Object Editor, collapse Computer Configuration, under User Configuration, expand Administrative Templates, expand Control Panel, and then click Display. Then set Password protect the screen saver = enabled and Screen Saver Timeout = [no. of seconds]. This prevents user from changing the timeout and password protect settings.

Under Linux using xscreensaver, because it runs with setuid for root privileges in order to access the password and shadow files, even if I set the owner:group to root:root, xscreensaver will write over the .xscreensaver file and reset change the owner:group back to what it was previously for that userid.

I pinged the author of xscreensaver, whom for the most part confirmed this.

QUESTION

Is there a way to change the permissions of the .xscreensaver file and/or of the xscreensaver setuid process to restrict users from changing the lock settings?

Or is there another tool or option to restrict changes?

Elvis

GrapefruiTgirl · 09-25-2007, 10:15 PM

I have tried too, to make my .xscreensaver file unchangeable, but it just doesn't work.

An idea: The method I use to edit or configure my screensaver is 'xscreensaver-demo'. This is the recomended way, according to the docs. Locate this script in /usr/X11/bin/ and remove the execute permissions from it. Now, the screensaver daemon still works, but the configuration tool doesn't.

NOTE: there might be another tool/script which can also be used to config the screensaver. I don't know for sure, but if there is, do the same to that.

Now, change the users .xscreensaver file to root:root r--r--r

Does this help? More importantly, does it work?

(I'm testing whether the second part works.. Back in a few moments.)

EDIT: Yes, this seems to work.

ElvisImprsntr · 09-26-2007, 06:42 PM

GrapefruiTgirl,

Thanks! Work great.

On my Debian distro the GUI script lives in /usr/bin/xscreensaver-demo and I changed the .xscreensaver permissions to root:root rw-r-r

Elvis

P.S. I'll try and send some sunshine your way!

GrapefruiTgirl · 09-26-2007, 07:01 PM

Great, I'm glad that works for you!

I started messing with the .xscreensaver pieces a while back after spending a significant amount of time hand tuning my screensaver. What annoyed me was that if I wanted to start the -demo just to LOOK AT things, like to browse some other savers, it would instantly overwrite my custom file, even if I didn't do anything, and I got tired of replacing my file with the backup I had made eventually.

Anyhow, happy computing, and thank you for the kind offer of sunshine-- perfect timing for us up this way