Every Linux screen locker bypassed with a keypress

For Arch Linux users, a patch has already been applied [1] to the xkeyboard-config package in [extra] this morning which corrects this issue by disabling the problematic "debug keys" in the X keymap. Update your system and restart X, and the issue should go away.<p>[1] <a href="http://mailman.archlinux.org/pipermail/arch-general/2012-January/024297.html" rel="nofollow">http://mailman.archlinux.org/pipermail/arch-general/2012-Jan...</a>

The headline is simply wrong.<p>"So from a superficial analysis anything since 1.10.99.902 could be vulnerable."<p>That's not _every_ linux screen locker. E.g. ubuntu 10.04 isn't affected.

How did this happen? I mean, I understand the debug key combinations, but how did they get mapped to actual keys? The commit says <i>To use these, you need to modify your XKB maps</i>.

Here is the commit. <a href="http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3cb3089241982ce4f8984fd723d5312a1" rel="nofollow">http://cgit.freedesktop.org/xorg/xserver/commit/?id=7d2543a3...</a>

I don't understand the key presses used. Is the "Multiply" key the asterisk (Shift+8)?<p>And also the + key on the numpad works?<p>I was unable to get slock to crash, using a US laptop keyboard. :/

Doesn't appear to work on Ubuntu Oneiric. Perhaps because it's running LightDM?

Since it's been demonstrated not every Linux screen locker is vulnerable, how about changing the title?

Just tried it on Ubuntu 11.10. Did not work.

Man, that is pretty crazy. Ctrl+Alt+* and the whole screensaver goes away just like that and everything on the workstation is accessible. Glad this vulnerability is getting more attention; I think it's obvious the feature should only be enabled in debug builds.

Of course, if you think you are safe because your keyboard does not have a numeric keypad: you are not. The attacker can just plug in a USB keyboard with a numpad and use it. Yay plug-n-play!

While this may be a 'debug' feature it sounds useful for when a fullscreen app locks up. If not these key combinations, what are you intended to do in such a situation?

I attempted to replicate this (attempted being the operative word, I could've been doing it wrong) with Ubuntu 11.10 and a GB keyboard layout. It didn't seem to work.<p>Key combos:<p>Ctrl+Alt+* (num pad) Ctrl+Alt+Shift+8<p>Both with numlock on and off.

I often use physlock from X. It drops you to a virtual console and locks from there.<p><a href="https://github.com/muennich/physlock" rel="nofollow">https://github.com/muennich/physlock</a>

Very interesting. How do you find things like this?

For some reason, I read 'Android' when I scanned this headline. But since Android is a linux variant, would this be possible? My phone doesn't have a physical keyboard, but maybe the Asus Transformer with the attachable keyboard, for example?

Doesn't work in Ubuntu Maverick with X.Org 1.7.5

Doesn't appear to work on Linux Mint 11 (katya)

Just tested on Debian sid. Damn, it worked.

Posted workaround doesn't really work.

Never use an X11 screen locker. Use vlock -san. Problem solved, and several other problems with it.

Just reminds me of more usability/security concerns in GNOME.<p>If you have any popup dialog box open anywhere, it completely inhibits the screensaver. Try it. Open Rhythmbox and open the volume slider and walk away from your computer. Open Chrome and open the Google Voice popopen box. Your computer will not go to sleep. Also, it breaks mouse focus and more. The GNOME developers don't seem to care at all.

I tried this on my very recently installed Fedora 16 desktop at home, and it worked. All of my applications were accessible, alt-tab and other selection methods worked, etc. The only thing that was missing was the panel at the top, and I couldn't be bothered figuring out how to bring it back so I just rebooted. Good thing I don't rely on that feature too much.