Lock Screen

Julio Batista Silva

Last updated on Apr 14, 2012 7 min read Linux, Security, Tutorial

Leaving the computer logged in with programs running is quite routine for me. Uptimes of several weeks are not uncommon.

However, leaving X or a terminal open in your absence can pose a security and privacy risk - someone with malicious intent who has physical access to the computer can cause a lot of damage if they find it logged into your account (or worse, as root!), such as looking at saved passwords in your browser (never save passwords in the browser!), accessing confidential files, or just trolling your Facebook.

Fortunately, there are some programs specifically for this purpose. In this post, I will discuss a little about these programs and some screen locking techniques.

tl;dr: vlock -as is the most secure way to lock the computer.

Naive Methods

Unconventional window managers

It’s quite interesting how, due to unfamiliarity with Unix-like systems, most people are unable to use my computer even when it’s not locked =].

At home, I can leave my computer running with Awesome, PekWM, Xmonad, DWM, or another window manager that is not similar to Windows, which is enough to make them take a long time to understand what’s going on. It’s like opening Vi and asking a freshman to use it.

Switching tty

People may take a while to use a DWM, but with some determination, they will eventually figure it out. However, if I switch between terminals (Ctrl+Alt+F2), a rather intimidating black screen will appear.

These naive methods may work at your parents’ house, but trying to use them in an environment full of computer-savvy colleagues and technology enthusiasts is a guarantee of surprises.

Try leaving your computer logged in at a college lab, student dorm, or technology events like FISL and Campus Party (at CP, you’ll still be safe in the gamers and social media area…). In an instant, you’re asking someone to watch your notebook while you go to the bathroom, and the next thing you know, you’ve become a Justin Bieber fan.

The best solution is always to carry your notebook with you. For situations where this is not possible, the programs I will mention can be the solution.

Programs

Screen

Screen is the most famous terminal multiplexer.

To install Screen on Arch Linux, run the command below:

julio@julio-acer ~> sudo pacman -S screen

One of the various features of screen is precisely the ability to lock the terminal using one of the following shortcuts: C-a x and C-a C-x

But this method also has some problems, it only locks what is running inside the screen. However, if you started X, even inside the screen, it will remain accessible.

Xtrlock

If you are using X and need to only lock the keyboard and mouse clicks while keeping the image on the screen, Xtrlock (available in AUR) is a reasonable and lightweight option. Just run Xtrlock and the cursor turns into a padlock and only returns to normal after entering the user’s password.

As the name suggests, this program only locks X. If you or root are logged into any terminal, it will be possible to end the process with a killall xtrlock.

It is also important to avoid staying logged into the terminal that was used to start X. If after logging in to tty1 you simply type startx, someone with malicious intent could simply kill the process with CTRL+c. I found some ways to avoid this:

Start X with nohup startx &; disown; sleep 5; exit.
Start X with exec startx.
Start X with startx && vlock -a || vlock -a (I will talk about vlock later).
Edit xorg.conf to disable Ctrl+Alt+Fn and Ctrl+Alt+Backspace:

Option "DontVTSwitch" "True" and Option "DontZap" "True".
Start X inside the screen and logout on tty1.
Use a graphical login.

It also has other flaws, such as not blocking other input devices besides the mouse and keyboard.

Slock

Like all programs from suckless.org, Slock is very minimalist. It is even simpler than xtrlock.

Run the following command to install it on Arch Linux:

julio@acer ~> sudo pacman -S slock

Slock simply turns the screen black until the user who started it enters the password.

Xscreensaver

I have never used Xscreensaver because it seems bloated to me. But I see that many people like it and recommend it.

Xautolock

Slock and xtrlock follow the Unix philosophy well, which says that a program should do only one thing and do it well. They simply lock the screen and do nothing else.

A very useful feature that I have seen in other screen lockers, like the one in Ubuntu, is the auto locking feature. This feature can be achieved with xautolock.

Xautolock allows you to run a program after a certain period of inactivity.

For example, to run slock after 10 minutes of inactivity, add the following line to ~/.xinitrc:

xautolock -time 10 -locker slock -nowlocker slock -detectsleep -corners 0+00 -cornerdelay 5 &

Read more about the options that can be passed to xautolock in the manual (man xautolock).

Xautolock and Mplayer

A annoying consequence of having xautolock configured to automatically lock the screen is that not every time we spend a long time without sending any command to X (typing or moving the cursor) are we actually inactive. Watching movies is one of those situations.

But luckily, the developers of Mplayer have already anticipated this and added the argument -stop-xscreensaver:

julio@acer ~> mplayer -stop-xscreensaver video.mkv

The man mplayer itself recommends -stop-xscreensaver, but if it fails (it worked very well here!), you can pass a command for mplayer to call every 30 seconds using the -heartbeat-cmd option:

julio@acer ~> mplayer -heartbeat-cmd="xscreensaver-command -deactivate" video.mkv

The same problem occurs with other players and with flash videos and YouTube, but unfortunately the solutions I found for these cases are not good at all:

xautolock -exit -> watch the video -> restart xautolock
Moving the cursor from time to time.

Vlock

Finally, we have Vlock, which I consider the best option for locking terminals and can be used in conjunction with the other options as well, for added protection.

Install Vlock:

julio@julio-acer ~> sudo pacman -S vlock

Update from 01/16/2013: Kbd already provides vlock. If you already have kbd, trying to install vlock will cause a conflict.

Lock only the current terminal -c

julio@julio-acer ~> vlock -c
This TTY is now locked.

Please press [ENTER] to unlock.
julio's Password:

Lock all terminals -a

julio@julio-acer ~> vlock -a
vlock: this terminal is not a virtual console

Oops! This error will occur if you try to run vlock -a in urxvt, xterm, etc. Press Ctrl+Alt+F1 to go to TTY1 and repeat the command:

julio@julio-acer ~> vlock -a
The entire console display is now completely locked.
You will not be able to switch to another virtual console.

Please press [ENTER] to unlock.
julio's Password:

There you go, the system is completely locked and will only be unlocked with your password or root’s. Or almost that, looking at the manual, I saw that vlock has an option (-s) to prevent the SysRq key from killing the program. I didn’t test it because my keyboard doesn’t even have this key, but this information was important, as I did some tests and realized that it is indeed possible to unlock the computer remotely:

Logged in as user ’test’, I locked all terminals:
```
test@julio-acer ~> vlock -a
```
I accessed the computer via SSH and killed the process without issues:
```
julio@julio-acer ~> killall vlock-main
```
I also tested with the ‘-s’ option, which requires superuser permission:
```
[root@julio-acer ~]# vlock -as
```

And I could only kill the process using sudo. Which was expected.

julio@julio-acer ~> killall vlock-main
vlock-main(26420): Operation not permitted
vlock-main: no process found

julio@julio-acer ~> sudo killall vlock-main

The only issue with this is that when this user manages to unlock the computer, they will have access to the account of the user who locked it. For me, this is not a concern, as I am the only user of the computer. But if I ever add more users (none with sudo privileges), I will keep in mind that it is better to lock the computer as root.