LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 08-23-2007, 02:34 AM   #1
aal
Member
 
Registered: Jul 2006
Location: Qld
Distribution: Debian sid, Ubuntu
Posts: 182

Rep: Reputation: 16
How to require password when resuming after swsusp


Hi,

After using bash shell to suspend machine with swsusp, then restarting the machine, it goes straight to desktop without asking for password.

This is bad because the bash shell is still there, with root access (necessary to run swsusp).

I'd like to require password after resume from swsusp.

What to do?

Suse 10.1 / KDE


I'd also like to run swsusp from desktop icon, without having to switch to root manually in the first place.

thanks ..... andrew.
 
Old 08-23-2007, 03:10 AM   #2
b0uncer
LQ Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
Definitely don't run it from root account. A better way is, for example, to configure sudo so that you (or your preferred user(s)) can run the command without password asked (or with the user's password asked, if you like - better this way). For this install sudo, configure /etc/sudoers file (add the preferred user along with the command; see the example lines there for syntax) and that should be it. Somewhere I saw that users had to be in the 'sudo' group before it worked, so if it's not working before that, you can try adding the users there.

After it's configured, the users can run
Code:
sudo command
to run command with root privileges (possibly with sudo asking for the user's password). Note: don't let anybody run sudo, a shell or similar with sudo (read: think carefully what you let them run, and restrict it as tightly as possible) because that will result in a root login with no restrictions.

Another possibility is to set uid for the executable, so it's run with root's privileges.

Have you tried what it does if you run
Code:
swsusp ; xscreensaver
This is just off the top of my head, but would it then run swsusp, and when it returns, next run xscreensaver (in case you ran that from X) to lock the screen? Change xscreensaver to whatever you want to lock the screen with, or possibly "logout" or "exit"..not sure if it works, but try. Creating a desktop icon for that should be easy, at least using sudo or setuid (prefer sudo, without password if it's needed..).
 
Old 08-23-2007, 05:02 AM   #3
aal
Member
 
Registered: Jul 2006
Location: Qld
Distribution: Debian sid, Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 16
Hi bOuncer,

sudo is very helpful. I set it up to allow all users to access swsusp without password. That works well. I also love the default insults if you make a mistake. Using swsusp ; xscreensaver suspends the machine, but when it resumes, it does not go into screensaver, but prompts for settings. xscreensaver-command -activate is the go. That disables the screen immediately.

So, thank you very much, the problem is solved. I've also bios disabled all other boots except for hard disk, and password protected bios and grub. Is there any way in left? If not, I should put it all in a script?

regards..... andrew.
 
Old 08-23-2007, 05:38 AM   #4
b0uncer
LQ Guru
 
Registered: Aug 2003
Distribution: CentOS, OS X
Posts: 5,131

Rep: Reputation: Disabled
Quote:
Originally Posted by aal
Using swsusp ; xscreensaver suspends the machine, but when it resumes, it does not go into screensaver, but prompts for settings. xscreensaver-command -activate is the go. That disables the screen immediately.
Sorry, my mistake - didn't remember 'xscreensaver' merely runs the settings dialog. Well, good you sorted it out. You can make the script all right, there are very probably some holes left (if there was a sure way to set up everything in a secure way, there would already be a howto for it) but the greatest ones are BIOS and bootloader passwords (most people don't bother setting them). You should probably read Slackbook (visit www.slackware.org) which has some good information, and if you're interested in security overall, get (loan, they're not too cheap) some books about securing a UNIX system, or about computer security in general. The path is endless, but for example here at LQ are some nice documents (howtos, threads, ..) about making a good start for securing it.

You could also add something more to the command, knowing that "a ; b" means "execute b after a has finished", "c && d" means "execute d if c finishes successfully" and that "e || f" means "execute f only if e exits with errors". So, if for some reason xscreensaver couldn't run, the system would probably leave a shell open unless you did something to it. This is probably minor, but you can always play around and see how it goes, for example with a line like this
Code:
sudo swsusp ; xscreensaver-command -activate || sudo reboot
just as an example, the starting part is the same you already tried, but in the end "sudo reboot" would be run if xscreensaver exited abnormally (with return value different from zero). Something like that. Rebooting is not necessarily the best idea, but you probably got what I meant.
 
Old 08-23-2007, 05:49 AM   #5
aal
Member
 
Registered: Jul 2006
Location: Qld
Distribution: Debian sid, Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 16
Hi B0uncer,

Got it. I've also dropped /usr/bin/xscreensaver -no-splash into my autostart folder, so that whenever the machine is rebooted, it's there right away, without going into the setup dialogues. Otherwise xscreensaver-command does nothing. (just in case anyone else is trying to do the same thing).

I'll check out those other options, which just have to be useful in all sorts of other ways too.

Thanks again.

regards.... andrew.
 
Old 08-23-2007, 06:08 AM   #6
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 55
Somebody with a bit of knowledge would easily defeat this..
A bit more safer would be to encrypt the image but then you need µswsusp.
 
Old 08-23-2007, 06:32 AM   #7
aal
Member
 
Registered: Jul 2006
Location: Qld
Distribution: Debian sid, Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 16
Hi nx5000,

By "encrypt the image", you mean the whole disk image of the machine state? With a password to enable decryption?

Although I'm really only trying to stop my 11 year old screwing up, you must be right. But would encrypting the image stop a user from switching power off during resume, to force a reboot?

And how would you get in, anyway?

regards..... andrew.
 
Old 08-23-2007, 07:29 AM   #8
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 55
I thought it was a laptop with sensitive information. In this case a full encryption would be the only way for 100% security, as resetting a bios password is possible or physically cloning a harddisk.

Rereading your post and considering the context I guess its tightened enough (although you never know with kids nowadays .

I didn't see you had locked the bios so it's not trivial. Sorry, my mistake..

Is it a problem if he forces a reboot? Because encrypting won't help, he can still poweroff-poweron during resume or even after. On next reboot he would be on the login window but I guess that's ok... ?
 
Old 08-23-2007, 07:59 AM   #9
aal
Member
 
Registered: Jul 2006
Location: Qld
Distribution: Debian sid, Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 16
Hi Nx5000,

It's tight enough. At the outset, it was just clearly dangerous to leave a shell open with root privileges, so my last post was more like a bit of natural interest.

At that age, I know that as soon as I saw the machine had been secured, I'd have been giving it a go.

Generally, I do want users to be able to boot as well as suspend from and resume to their own accounts, so it's just inconvenient if someone forces a reboot after I've suspended. I could lose open files, say. So I don't want to tempt that.

Say one user powers on the machine after another user put it into suspend to disk, is there a way to get them into their own account without destroying the original session(s), which should remain locked?

regards..... andrew.
 
Old 08-23-2007, 10:57 PM   #10
aal
Member
 
Registered: Jul 2006
Location: Qld
Distribution: Debian sid, Ubuntu
Posts: 182

Original Poster
Rep: Reputation: 16
Hi all,

Turns out there are a couple of little problems using xscreensaver for this purpose, mainly because the script should work whether the process is already running or not, and because users can kill, restart and modify settings on xscreensaver.

So, I think it gets a bit complicated that way. I found another way, xlock, which just locks the screen until password is provided. Has many options.

The entire script I'm using just now is:

sudo /sbin/swsusp ; xlock +allowroot

With permissions on the script (owner = root) set to 755, accessed from (KDE) desktop icon. I have not yet thought of a way to get around this, so if anyone can think of one, please let me know.

regard...... andrew.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Lock screen (requiring password to unlock) when resuming from suspend theoldman Linux - Laptop and Netbook 2 12-17-2009 10:35 PM
Password Require NautTboy Linux - Newbie 8 02-26-2007 05:59 PM
Require sudo to need 2 password Dralnu Linux - Security 2 05-19-2006 09:52 PM
How to Add Password for Resuming from Suspend (Using apmsleep) Ian Linux - Hardware 0 05-03-2004 11:34 PM
How to config sendmail to require username/password? jimwillsher Linux - Security 1 02-09-2004 10:57 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 12:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration