XSecureLock is an X11 screen lock utility designed with the primary goal of security.
Screen lock utilities are widespread. However, in the past they often had security issues regarding authentication bypass (a crashing screen locker would unlock the screen), information disclosure (notifications may appear on top of the screen saver), or sometimes even worse.
In XSecureLock, security is achieved using a modular design to avoid the usual pitfalls of screen locking utility design on X11. Details are available in the Security Design section.
The following packages need to be installed; their names depend on your Linux distribution of choice, but will be similar:
auth_htpasswd module)authproto_pam module)saver_mplayer module)saver_mpv module)authproto_pamtester module)saver_xscreensaver module)NOTE: In these instructions, please replace SERVICE-NAME by the name of an
appropriate and existing file in /etc/pam.d. If xscreensaver is installed,
xscreensaver should always be a good choice; otherwise, on Debian and Ubuntu,
common-auth would work. This will be used as default and can be overridden
with XSECURELOCK_PAM_SERVICE.
Configuring a broken or missing SERVICE-NAME will render unlocking the screen
impossible! If this should happen to you, switch to another terminal
(Ctrl-Alt-F1), log in there, and run: killall xsecurelock to force unlocking
of the screen.
git clone https://github.com/google/xsecurelock.git
cd xsecurelock
sh autogen.sh
./configure --with-pam-service-name=SERVICE-NAME
make
sudo make installFirst of all, on BSD systems, /usr/local is owned by the ports system, so
unless you are creating a port, it is recommended to install to a separate
location by specifying something like --prefix=/opt/xsecurelock in the
./configure call. You can then run XSecureLock as
/opt/xsecurelock/bin/xsecurelock.
Also, in order to authenticate with PAM on FreeBSD and NetBSD, you must be root
so you can read the shadow password database. The authproto_pam binary can be
made to acquire these required privileges like this:
chmod +s /opt/xsecurelock/libexec/xsecurelock/authproto_pamFirst of all, on BSD systems, /usr/local is owned by the ports system, so
unless you are creating a port, it is recommended to install to a separate
location by specifying something like --prefix=/opt/xsecurelock in the
./configure call. You can then run XSecureLock as
/opt/xsecurelock/bin/xsecurelock.
Also, in order to authenticate with PAM on OpenBSD, you must be in the auth
group so you can run a setuid helper called login_passwd that can read the
shadow password database. The authproto_pam binary can be made to acquire
these required privileges like this:
chgrp auth /opt/xsecurelock/libexec/xsecurelock/authproto_pam
chmod g+s /opt/xsecurelock/libexec/xsecurelock/authproto_pamNote that this adds substantially less attack surface than adding your own user
to the auth group, as the login_passwd binary can try out passwords of any
user, while authproto_pam is restricted to trying your own user.
Pick one of the authentication modules and one of the screen saver modules.
Tell your desktop environment to run XSecureLock by using a command line such as one of the following:
xsecurelock
env XSECURELOCK_SAVER=saver_xscreensaver xsecurelock
env XSECURELOCK_SAVER=saver_mplayer XSECURELOCK_DISCARD_FIRST_KEYPRESS=0 xsecurelock
env XSECURELOCK_FONT=`xlsfonts | grep '\<iso10646-1\>' | shuf | head -n 1` xsecurelockJust kidding about the last one :)
IMPORTANT: Make sure your desktop environment does not launch any other locker, be it via autostart file or its own configuration, as multiple screen lockers may interfere with each other. You have been warned!
To have the authentication process start up without a keypress when
the system exits suspend/hibernate, arrange for the system to send the
SIGUSR2 signal to the XSecureLock process.
For example, you can copy the following script to the file
/usr/lib/systemd/system-sleep/xsecurelock:
#!/bin/bash
if [[ "$1" = "post" ]] ; then
pkill -x -USR2 xsecurelock
fi
exit 0Don't forget to mark the script executable.
To automatically lock the screen after some time of inactivity, use xss-lock as follows:
xset s 300 5
xss-lock -n /usr/lib/xsecurelock/dimmer -l -- xsecurelockThe option -l is critical as it makes sure not to allow machine suspend before
the screen saver is active - otherwise previous screen content may show up for a
short time after wakeup!
NOTE: When using xss-lock, it's recommended to not launch xsecurelock
directly for manual locking, but to manually lock using xset s activate. This
ensures that xss-lock knows about the locking state and won't try again, which
would spam the X11 error log.
WARNING: Never rely on automatic locking for security, for the following reasons:
An attacker can, of course, use your computer after you leave it alone and before it locks or you return.
Automatic locking is unreliable by design - for example, it could simply be misconfigured, or a pointer grab (due to open context menu) could prevent the screen lock from ever activating. Media players also often suspend screen saver activation for usability reasons.
Automatic locking should merely be seen as a fallback for the case of the user
forgetting to lock explicitly, and not as a security feature. If you really want
to use this as a security feature, make sure to kill the session whenever
attempts to lock fail (in which case xsecurelock will return a non-zero exit
status).
xautolock can be used instead of xss-lock as long as you do not care for
suspend events (like on laptops):
xautolock -time 10 -notify 5 -notifier '/usr/lib/xsecurelock/until_nonidle /usr/lib/xsecurelock/dimmer' -locker xsecurelockIdeally, an environment integrating xsecurelock should provide the following
facilities:
dimmer.dimmer and go back to the
start.dimmer exits, run xsecurelock and wait for it.xsecurelock and wait for it.xsecurelock while passing along
XSS_SLEEP_LOCK_FD and wait for it.This is, of course precisely what xss-lock does, and - apart from the suspend
handling - what xautolock does.
As an alternative, we also support this way of integrating:
until_nonidle dimmer || exec xsecurelock and wait for it."IDLETIME" timer, as this command can never exit
without those being reset).xsecurelock and wait for it.xsecurelock while passing along
XSS_SLEEP_LOCK_FD and wait for it.NOTE: When using until_nonidle with other dimming tools than the included
dimmer, please set XSECURELOCK_DIM_TIME_MS and XSECURELOCK_WAIT_TIME_MS to
match the time your dimming tool takes for dimming, and how long you want to
wait in dimmed state before locking.
Options to XSecureLock can be passed by environment variables:
XSECURELOCK_AUTH: specifies the desired authentication module (the part
that displays the authentication prompt).
XSECURELOCK_AUTHPROTO: specifies the desired authentication protocol
module (the part that talks to the system).
XSECURELOCK_AUTH_BACKGROUND_COLOR: specifies the X11 color (see manpage of
XParseColor) for the background of the auth dialog.
XSECURELOCK_AUTH_CURSOR_BLINK: if set, the cursor will blink in the auth
dialog. Enabled by default, can be set to 0 to disable.
XSECURELOCK_AUTH_SOUNDS: specifies whether to play sounds during
authentication to indicate status. Sounds are defined as follows:
XSECURELOCK_AUTH_FOREGROUND_COLOR: specifies the X11 color (see manpage of
XParseColor) for the foreground text of the auth dialog.
XSECURELOCK_AUTH_TIMEOUT: specifies the time (in seconds) to wait for
response to a prompt by auth_x11 before giving up and reverting to
the screen saver.
XSECURELOCK_AUTH_WARNING_COLOR: specifies the X11 color (see manpage of
XParseColor) for the warning text of the auth dialog.
XSECURELOCK_BACKGROUND_COLOR: specifies the X11 color (see manpage
of XParseColor) for the background of the main and saver windows.
XSECURELOCK_BLANK_TIMEOUT: specifies the time (in seconds) before telling
X11 to fully blank the screen; a negative value disables X11 blanking. The
time is measured since the closing of the auth window or xsecurelock
startup. Setting this to 0 is rather nonsensical, as key-release events
(e.g. from the keystroke to launch xsecurelock or from pressing escape to
close the auth dialog) always wake up the screen.
XSECURELOCK_BLANK_DPMS_STATE: specifies which DPMS state to put the screen
in when blanking (one of standby, suspend, off and on, where "on" means to
not invoke DPMS at all).
XSECURELOCK_BURNIN_MITIGATION: specifies the number of pixels the prompt
of auth_x11 may be moved at startup to mitigate possible burn-in
effects due to the auth dialog being displayed all the time (e.g. when
spurious mouse events wake up the screen all the time).
XSECURELOCK_BURNIN_MITIGATION_DYNAMIC: if set to a non-zero value,
auth_x11 will move the prompt while it is being displayed, but stay
within the bounds of XSECURELOCK_BURNIN_MITIGATION. The value of this
variable is the maximum allowed shift per screen refresh. This mitigates
short-term burn-in effects but is probably annoying to most users, and thus
disabled by default.
XSECURELOCK_COMPOSITE_OBSCURER: create a second full-screen window to
obscure window content in case a running compositor unmaps its own window.
Helps with some instances of bad compositor behavior (such as compositor
crashes/restarts, but also compton has been caught at drawing notification
icons above the screen locker when not using the GLX backend), should
prevent compositors from unredirecting as it's 1 pixel smaller than the
screen from every side, and should otherwise be harmless, so it's enabled
by default.
XSECURELOCK_DATETIME_FORMAT: the date format to show. Defaults to the
locale settings. (see man date for possible formats)
XSECURELOCK_DEBUG_ALLOW_LOCKING_IF_INEFFECTIVE: Normally we don't allow
locking sessions that are likely not any useful to lock, such as the X11
part of a Wayland session (one could still use Wayland applicatione when
locked) or VNC sessions (as it'd only lock the server side session while
users will likely think they locked the client, allowing for an easy
escape). These checks can be bypassed by setting this variable to 1. Not
recommended other than for debugging XSecureLock itself via such
connections.
XSECURELOCK_DEBUG_WINDOW_INFO: When complaining about another window
misbehaving, print not just the window ID but also some info about it. Uses
the xwininfo and xprop tools.
XSECURELOCK_DIM_ALPHA: Linear-space opacity to fade the screen to.
XSECURELOCK_DIM_COLOR: X11 color to fade the screen to.
XSECURELOCK_DIM_FPS: Target framerate to attain during the dimming effect
of dimmer. Ideally matches the display refresh rate.
XSECURELOCK_DIM_MAX_FILL_SIZE: Maximum size (in width or height) to fill
at once using an XFillRectangle call. Low values may cause performance loss
or noticeable tearing during dimming; high values may cause crashes or hangs
with some graphics drivers or a temporarily unresponsive X server.
XSECURELOCK_DIM_OVERRIDE_COMPOSITOR_DETECTION: When set to 1, always try
to use transparency for dimming; when set to 0, always use a dither
pattern. Default is to autodetect whether transparency will likely work.
XSECURELOCK_DIM_TIME_MS: Milliseconds to dim for when above xss-lock
command line with dimmer is used; also used by wait_nonidle to know when
to assume dimming and waiting has finished and exit.
XSECURELOCK_DISCARD_FIRST_KEYPRESS: If set to 0, the key pressed to stop
the screen saver and spawn the auth child is sent to the auth child (and
thus becomes part of the password entry). By default we always discard the
key press that started the authentication flow, to prevent users from
getting used to type their password on a blank screen (which could be just
powered off and have a chat client behind or similar).
XSECURELOCK_FONT: X11 or FontConfig font name to use for auth_x11.
You can get a list of supported font names by running xlsfonts and
fc-list.
XSECURELOCK_FORCE_GRAB: When grabbing fails, try stealing the grab from
other windows (a value of 2 steals from all descendants of the root
window, while a value of 1 only steals from client windows). This works
only sometimes and is incompatible with many window managers, so use with
care. See the "Forcing Grabs" section below for details.
XSECURELOCK_GLOBAL_SAVER: specifies the desired global screen saver module
(by default this is a multiplexer that runs XSECURELOCK_SAVER on each
screen).
XSECURELOCK_IDLE_TIMERS: comma-separated list of idle time counters used
by until_nonidle. Typical values are either empty (relies on the X Screen
Saver extension instead), "IDLETIME" and "DEVICEIDLETIME xinput to see them). If multiple time counters
are specified, the idle time is the minimum of them all. All listed timers
must have the same unit.
XSECURELOCK_IMAGE_DURATION_SECONDS: how long to show each still image
played by saver_mpv. Defaults to 1.
XSECURELOCK_KEY_%s_COMMAND where %s is the name of an X11 keysym (find
using xev): a shell command to execute when the specified key is pressed.
Useful e.g. for media player control. Beware: be cautious about what you
run with this, as it may yield attackers control over your computer.
XSECURELOCK_LIST_VIDEOS_COMMAND: shell command to list all video files to
potentially play by saver_mpv or saver_mplayer. Defaults to
find ~/Videos -type f.
XSECURELOCK_NO_COMPOSITE: disables covering the composite overlay window.
This switches to a more traditional way of locking, but may allow desktop
notifications to be visible on top of the screen lock. Not recommended.
XSECURELOCK_NO_PAM_RHOST: do not set PAM_RHOST to localhost, despite
recommendation
to do so by the Linux-PAM Application Developers' Guide. This may work
around bugs in third-party PAM authentication modules. If this solves a
problem for you, please report a bug against said PAM module.
XSECURELOCK_NO_XRANDR: disables multi monitor support using XRandR.
XSECURELOCK_NO_XRANDR15: disables multi monitor support using XRandR 1.5
and fall back to XRandR 1.2. Not recommended.
XSECURELOCK_PAM_SERVICE: pam service name. You should have a file with
that name in /etc/pam.d.
XSECURELOCK_PASSWORD_PROMPT: Choose password prompt mode:
asterisks: shows asterisks, like classic password prompts. This is
the least secure option because password length is visible.
***_
*******_cursor: shows a cursor that jumps around on each key press. This is
the default.
________|_______________________
___________________|____________disco: shows dancers, which dance around on each key press. Requires a
font that can handle Unicode line drawing characters, and FontConfig.
┏(・o・)┛ ♪ ┗(・o・)┓ ♪ ┏(・o・)┛ ♪ ┗(・o・)┓ ♪ ┏(・o・)┛
┗(・o・)┓ ♪ ┏(・o・)┛ ♪ ┏(・o・)┛ ♪ ┏(・o・)┛ ♪ ┏(・o・)┛emoji: shows an emoji, changing which one on each key press. Requires
a font that can handle emoji, and FontConfig.
👍
🎶
💕emoticon: shows an ascii emoticon, changing which one on each key
press.
:-O
d-X
X-\hidden: completely hides the password, and there's no feedback for
keypresses. This would almost be most secure - however as it gives no
feedback to input whatsoever, you may not be able to notice accidentally
typing to another computer and sending your password to some chatroom.
kaomoji: shows a kaomoji (Japanese emoticon), changing which one on
each key press. Requires a Japanese font, and FontConfig.
(͡°͜ʖ͡°)
(^u^)
¯\_(ツ)_/¯time: shows the current time since the epoch on each keystroke. This
may be the most secure mode, as it gives feedback to keystroke based
exclusively on public information, and does not carry over any state
between keystrokes whatsoever - not even some form of randomness.
1559655410.922329time_hex: same as time, but in microseconds and hexadecimal.
"Because we can".
0x58a7f92bd7359XSECURELOCK_SAVER: specifies the desired screen saver module.
XSECURELOCK_SAVER_RESET_ON_AUTH_CLOSE: specifies whether to reset the
saver module when the auth dialog closes. Resetting is done by sending
SIGUSR1 to the saver, which may either just terminate, or handle this
specifically to do a cheaper reset.
XSECURELOCK_SHOW_DATETIME: whether to show local date and time on the
login. Disabled by default.
XSECURELOCK_SHOW_HOSTNAME: whether to show the hostname on the login
screen of auth_x11. Possible values are 0 for not showing the
hostname, 1 for showing the short form, and 2 for showing the long form.
XSECURELOCK_SHOW_KEYBOARD_LAYOUT: whether to show the name of the current
keyboard layout. Enabled by default.
XSECURELOCK_SHOW_USERNAME: whether to show the username on the login
screen of auth_x11.
XSECURELOCK_SINGLE_AUTH_WINDOW: whether to show only a single auth window
from auth_x11, as opposed to one per screen.
XSECURELOCK_SWITCH_USER_COMMAND: shell command to execute when Win-O or
Ctrl-Alt-O are pressed (think "other user"). Typical values could be
lxdm -c USER_SWITCH, dm-tool switch-to-greeter, gdmflexiserver or
kdmctl reserve, depending on your desktop environment.
XSECURELOCK_VIDEOS_FLAGS: flags to append when invoking mpv/mplayer with
saver_mpv or saver_mplayer. Defaults to empty.
XSECURELOCK_WAIT_TIME_MS: Milliseconds to wait after dimming (and before
locking) when above xss-lock command line is used. Should be at least as
large as the period time set using "xset s". Also used by wait_nonidle to
know when to assume dimming and waiting has finished and exit.
XSECURELOCK_SAVER_DELAY_MS: Milliseconds to wait after starting
children process and before mapping windows to let children be
ready to display and reduce the black flash.
XSECURELOCK_SAVER_STOP_ON_BLANK: specifies if saver is stopped
when screen is blanked (DPMS or XSS) to save power.
XSECURELOCK_XSCREENSAVER_PATH: Location where XScreenSaver hacks are
installed for use by saver_xscreensaver.
Additionally, command line arguments following a "--" argument will be executed
via execvp once locking is successful; this can be used to notify a calling
process of successful locking.
The following authentication modules are included:
auth_x11: Authenticates via an authproto module using keyboard input (X11
based; recommended).The authentication module is a separate executable, whose name must start with
auth_ and be installed together with the included auth_ modules (default
location: /usr/local/libexec/xsecurelock/helpers).
mb* C
functions to act on these.$XSCREENSAVER_WINDOW.The following authentication protocol ("authproto") modules are included:
authproto_htpasswd: Authenticates via a htpasswd style file stored in
~/.xsecurelock.pw. To generate this file, run: ( umask 077; htpasswd -cB ~/.xsecurelock.pw "$USER" ) Use this only if you for some reason can't use
PAM!authproto_pam: Authenticates via PAM. Use this.authproto_pamtester: Authenticates via PAM using pamtester. Shouldn't
be required unless you can't compile authproto_pam. Only supports simple
password based conversations.The authentication protocol module is a separate executable, whose name must
start with authproto_ and be installed together with the included
authproto_ modules (default location:
/usr/local/libexec/xsecurelock/helpers).
The following screen saver modules are included:
saver_blank: Simply blanks the screen.saver_mplayer and saver_mpv: Plays a video using mplayer or mpv,
respectively. The video to play is selected at random among all files in
~/Videos.saver_multiplex: Watches the display configuration and runs another screen
saver module once on each screen; used internally.saver_xscreensaver: Runs an XScreenSaver hack from an existing
XScreenSaver setup. NOTE: some screen savers included by this may display
arbitrary pictures from your home directory; if you care about this, either
run xscreensaver-demo and disable screen savers that may do this, or stay
away from this one!The screen saver module is a separate executable, whose name must start with
saver_ and be installed together with the included auth_ modules (default
location: /usr/local/libexec/xsecurelock/helpers).
$XSCREENSAVER_SAVER_INDEX.$XSCREENSAVER_WINDOW.XSECURELOCK_SAVER_RESET_ON_AUTH_CLOSE.In order to achieve maximum possible security against screen lock bypass exploits, the following measures are taken:
sh -c "xsecurelock ... || kill -9 -1" :)xss-lock, this could leave a workstation
open for days. Above ... || kill -9 -1 workaround would mitigate this
issue too by simply killing the entire session if locking it fails.XQueryKeymap).XQueryPointer)./dev/input), including other input
devices than keyboard and mouse, such as gamepads or joysticks.Most these issues are inherent with X11 and can only really be fixed by migrating to an alternative such as Wayland; some of the issues (in particular the gamepad input issue) will probably persist even with Wayland.
As a workaround to the issue of another window already holding a grab, we offer
an XSECURELOCK_FORCE_GRAB option.
This adds a last measure attempt to force grabbing by iterating through all subwindows of the root window, unmapping them (which closes down their grabs), then taking the grab and mapping them again.
This has the following known issues:
OverrideRedirect to gain fullscreen mode), the window will become
unresponsive, as your actions will be interpreted by another window - which
you can't see - instead. Alt-Tabbing around may often work around this.There is an open issue with the NVidia graphics driver in conjunction with
some compositors. Workarounds include switching to the nouveau graphics
driver, using a compositor that uses the Composite Overlay Window (e.g.
compton with the flags --backend glx --paint-on-overlay) or passing
XSECURELOCK_NO_COMPOSITE=1 to XSecureLock (which however may make
notifications appear on top of the screen lock).
XSecureLock is incompatible with the compositor built into metacity (a
GNOME component) because it draws on the Compositor Overlay Window with
IncludeInferiors set (i.e. it explicitly requests to draw on top of
programs like XSecureLock). It likely does this because the same is
necessary when drawing on top of the root window, which it had done in the
past but no longer does. Workarounds include disabling its compositor with
gsettings set org.gnome.metacity compositing-manager false or passing
XSECURELOCK_NO_COMPOSITE=1 to XSecureLock.
Picom doesn't remove windows in the required order causing a window with
the text "INCOMPATIBLE COMPOSITOR, PLEASE FIX!" to be displayed. To fix this
you can disable composite obscurer with XSECURELOCK_COMPOSITE_OBSCURER=0
to stop the window from being drawn all together.
In general, most compositor issues will become visible in form of a text
"INCOMPATIBLE COMPOSITOR, PLEASE FIX!" being displayed. A known good
compositor is compton --backend glx --paint-on-overlay. In worst case
you can turn off our workaround for transparent windows by setting
XSECURELOCK_NO_COMPOSITE=1.
The code is released under the Apache 2.0 license. See the LICENSE file for more details.
This project is not an official Google project. It is not supported by Google and Google specifically disclaims all warranties as to its quality, merchantability, or fitness for a particular purpose.