securing X without a display manager

First of all, I should start by describing my desktop setup briefly to provide the context for this post.

I use i3 as a window manager, primarily running on funtoo.

i3 comes with a really nice screen locking program called i3lock that provides a bunch of well-documented options for your locking pleasure, including the ability to use a background picture, as well as optionally using a windows-style mouse pointer at the lock screen ;-)

However, this doesn’t mean that someone bent on trying to access your box might not try a quick ctrl-alt-Fn to see if your windoze desktop is actually frozen or if perhaps you are running some *nix system, which could result in them ending up rather quickly in the tty where you started your X-server from.

Then, a quick ctrl-c and this nefarious goon is logged-in to whatever user account you were running X from, which is likely to be your normal user, perhaps the 1%er of your device. yikes!

First things first:

alias startx in ~/.bashrc

alias startx='\/usr/bin/nohup \/usr/bin/startx & exit'

nohup makes the following command (in this case startx) immune to hangups, with output to a non-tty. The “& exit” is somewhat self explanatory; if forks the previous command to the background and then exits from our login on the tty.

source ~/.bashrc and then go ahead and startx and switch back to your initial tty. You should see a login prompt. If so, congratulations, phase one is complete and your running X instance cannot killed without you logging back into a tty and killing it yourself. This is perhaps the most important part, but how secure is this if you leave your running X instance unlocked when you walk away?

Not very, so lets also setup a solution to autolock the display using xautolock, which should be available in the repository of your distribution’s package repository.

edit your ~/.xinitrc to automagically start xautolock when you startx

you should add this line before the line that tells your DE/WM to start. In my case it looks like this:

\/usr/bin/xautolock -time 5 -locker '/usr/bin/i3lock -i /home/$USER/some/path/picture.png -u' &
exec /usr/bin/i3 

the -time option determines how long xautolock should wait before locking the display; the default unit is in minutes. -locker specifies the program to use, in this case the afformentioned i3lock with -i passing an image to use and the -u specifing no visual feedback from keypresses on screen. The default options for i3lock display no mouse pointer, but you could easily add a “-p win” if you want to mess with people.

Finally I like to use the same lock screen and options if I decide to engage i3lock manually, so I will alias these options in my ~/.bashrc as well.

alias i3lock='\/usr/bin/i3lock -i /home/$USER/some/path/picture.png -u'

and that is it. Enjoy your more secure X environment.

  • A side note is that I tend to prefix important commands in ~/.bashrc wih the \ to make sure that they are really aliased to their actual command. It is just a bit of an OCD thing so feel free to ignore it in this case.