5

One of the functions of GNU Screen is to lock the screen.

The man page says this:

lockscreen

Lock this display. Call a screenlock program (/local/bin/lck or /usr/bin/lock or a builtin if no other is available). Screen does not accept any command keys until this program terminates. Meanwhile processes in the windows may continue, as the windows are in the `detached' state. The screenlock program may be changed through the environment variable $LOCKPRG (which must be set in the shell from which screen is started) and is executed with the user's uid and gid. Warning: When you leave other shells unlocked and you have no password set on screen, the lock is void: One could easily re-attach from an unlocked shell. This feature should rather be called 'lockterminal'.

If I login to a Linux console start screen and then lock the session and then walk away is there any way a person will be able to quit out of screen and use the system under my credentials. The above section from the man page isn't entirely clear to me. Assume that attacker has no other access to the system and they won't reboot the system.

Zoredache
  • 130,897
  • 41
  • 276
  • 420

2 Answers2

2

To my knowledge they cannot use your creds to get into the system.

They could use ALT-F2, ALT-F3 and so on to get command shells but would have to authenticate...

If they don't reboot the machine then I don't know anyway to compromise the system though the GNU or Lock screen....

If they reboot they can put the machine into single user mode and compromise the system..but AFAIK based on your senerio above you should be ok.

Thomas Denton
  • 686
  • 5
  • 13
2

Nope, you're safe.

If I had to guess about what you found confusing about the man-page, I'd say it was the warning-part. What they are trying to say is that it isn't the screen-session itself that is locked, but that instance on that specific terminal. If you have left shells where the attacker can start screen as your user, they can get access to what you have running in the locked screen.

I'm not sure why this is a scenario though. If it's a server, why don't you just login using SSH? If it's a desktop machine - why don't you run xlock instead?

Commander Keen
  • 1,253
  • 7
  • 11