Playing devil's advocate here

Story: HOWTO: Get right to X with No Display ManagerTotal Replies: 9
Author Content
lcafiero

Dec 23, 2011
2:43 PM EDT
Pleased to meet you, hope you guess my name . . . .

That's an interesting workaround, Jeff91, and I know it will be of use to a lot of people. I'm trying it out myself, but before I do I have a question/observation/concern. Before I make the observation, though, I have to say that I like many of the display managers that are out there -- a considerable amount of work is put into them and, on the whole, it's a pleasant interface to welcome one to Linux, even in Enlightenment (especially in Enlightenment).

So here's the question/observation/concern: So I want to bypass this artistic greeting on a variety of desktop environements by autostarting as you point out, but by the same token am I lowering my security threshold or providing any other "down side" by doing so?

If there are caveats, it would be good to know. If there aren't, all the better.

Happy $HOLIDAY_YOU_CELEBRATE, all.
Jeff91

Dec 23, 2011
3:43 PM EDT
I know a lot of work goes into DMs. They are needed by a good deal of people, in fact this is why Bodhi uses LXDM by default :). This is just a little work around for those of us that don't need/want one.

The only serious draw back i can think of would be the fact that this is auto logging you in. If you prefer to have a password at startup (and still have no desktop manager) you can always set your DE to auto lock on startup (I know E supports this so I can only imagine other major desktops do as well).

~Jeff
JaseP

Dec 23, 2011
3:44 PM EDT
Yes, whenever you have a system auto start into a desktop, you are compromising security. There is nothing to prevent a local user from restarting a machine & gaining access to your user account and any other automatic logins you may have set up, for instance, through your browser or SAMBA shares, etc. I personally don't know if I would trust the auto start script of a DE to prevent bypassing a screen locking app.

To further complicate matters, unless you are careful to disallow remote logins, remote users would be able to access your account. (Note: I didn't read the article, yet, so don't know if this was addressed) That's a big vulnerability when it comes to a Linux system.

I only autostart on my HTPC machines. And they do not allow remote logins or remote desktop utilities (even though there are some gains on an HTPC by allowing remote desktop utilities). There are other reasons for limiting the machines this way, such as the home automation devices they have access to. Allowing someone to remote in would expose the physical security and privacy of the house, unnecessarily. It would also expose my stored media to the outside world, which could expose me to claims of piracy of media... (claims,... not that they would necessarily be founded).

I, personally, wouldn't auto start a machine that everyone in a location should not have full access to. Additionally, I would not put a potentially risky platform (like an Android or Apple phone that has the potential to be compromised, or an M$ machine) on the inside of a network that needs any significant security (HIPAA impacted databases, attorney / client databases, etc.). It's a personal choice of risk versus convenience, though.
Jeff91

Dec 23, 2011
3:45 PM EDT
JaseP I think we posted at the same time - see my comment above about having the desktop lock itself at startup.

~Jeff
JaseP

Dec 23, 2011
3:47 PM EDT
I edited my first paragraph accordingly ...
Jeff91

Dec 23, 2011
3:51 PM EDT
For Enlightenment it isn't just an "auto start script" there is a check box in the screen lock setting to lock the screen at E startup - it always works.

For the rest of you reading this that are worried about security, using NoDM isn't any less safe then having your display manager auto login to your user account (which I know a good deal of people do).

~Jeff
JaseP

Dec 23, 2011
6:11 PM EDT
What I am saying is that, unless the DE is written specifically to limit user interaction while the UI is loaded, "it is possible, however unlikely, that a weakness can be found," and exploited. Essentially, any user input that would have any impact on running programs has to be temporarily suspended until the screen lock has fully loaded. At that point, what's the difference in having a login screen that pulls up a default user, versus booting into the DE with the screen lock enabled?!?!

I'm not saying there aren't use cases for what you are describing. I'm saying that I trust code specifically written with security in mind, over code written with privacy in mind. There's more than semantic difference ...
lcafiero

Dec 26, 2011
3:01 PM EDT
Interesting discussion, and thanks for the insights, Jeff91 and JaseP. Call me old school, but I don't auto login, nor probably will I. But many people do, and it's good to know this information going forward.
JaseP

Dec 27, 2011
10:05 AM EDT
Yes, Jeff, good discussion, ... and don't let my comments make you think I'm throwing you under the proverbial bus. Auto login features are useful. I use them, myself on certain machines. I just would never advocate them on a machine that's got a significant security role, including mobile devices.
fewt

Dec 27, 2011
5:02 PM EDT
Also: echo "su - ${USER} startx" | sudo tee -a /etc/rc.local

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!