Home / server / Questions / 672882
Accepted
aseq
Asked: 2015-03-04 18:05:22 +0800 CST

Restrict user changing xscreensaver settings

  • 772

I would like to know any solutions people came up with restricting a user from changing a system wide configuration of xscreensaver. Part of my job is managing systems which have a requirement that the desktop locks in about 10 minutes and can only be unlocked with a password. I want to use one screensaver and considering xscreensaver is very secure with a mature code base it is a logical choice.

I created appropriate settings in /etc/X11/app-defaults/XScreenSaver*, however the problem is a user can still change their personal preferences by running xscreensaver-demo or editing ~/.xscreensaver.

I understand there is a bit of a hackish way to do this, removing the executable permissions from /usr/bin/xscreensaver-demo and changing the ownership of ~/.xscreensaver to root.

If that is the only practical way of doing this, how would I go about creating ~/.xscreensaver with root ownership upon initial login of the user (in redhat and debian/ubuntu)?

linux

2 Answers

  1. If your users' home directories are on a local disk, or they are hosted on a Linux NFS server which you have sudo/root privileges on, then you can set each ~/.xscreensaver file as "immutable".

    sudo chattr +i /home/username/.xscreensaver

    This will prevent users from modifying it, and from deleting/moving/renaming it.

    Reference: http://sattia.blogspot.com/2015/01/how-to-make-file-immutable-on-linux.html

    • 1
  2. Best Answer

    It looks like this is not really possible. I did end up slightly modifying the source of xscreensaver in order to force certain settings. I tried to use the least invasive way of accomplishing this with minimal modification of the source. This will still allow the user to configure many parts of the screensaver, just not the ones regarding screenlocking and the timeout.

    In the source tree find the file driver/prefs.c and in there look for the function write_init_file. In that function find these lines:

    if (!pr || !*pr)          ;
CHECK("timeout")          type = pref_time, t = p->timeout;
CHECK("cycle")            type = pref_time, t = p->cycle;
CHECK("lock")             type = pref_bool, b = p->lock_p;
CHECK("lockTimeout")      type = pref_time, t = p->lock_timeout;
(..)
CHECK("mode")             type = pref_str,
                          s = (p->mode == ONE_HACK ? "one" :
                               p->mode == BLANK_ONLY ? "blank" :
                               p->mode == DONT_BLANK ? "off" :
                               p->mode == RANDOM_HACKS_SAME
                               ? "random-same"
                               : "random");

    And change to something like the below source sample. What this will do is prevent these settings from being saved to the .xscreensaver file in the user's home directory. And then as long as the system wide default is set to whatever you prefer xscreensaver will keep using these settings in lieu of what would be configured in the .xscreensaver file.

    if (!pr || !*pr)          ;
CHECK("timeout")          continue; /* don't save */
CHECK("cycle")            continue; /* don't save */
CHECK("lock")             continue; /* don't save */
CHECK("lockTimeout")      continue; /* don't save */
(..)
CHECK("mode")             type = pref_str,
                          s = (p->mode == ONE_HACK ? "one" :
                               p->mode == BLANK_ONLY ? "blank" :
                               p->mode == DONT_BLANK ? "blank" : /* prevents xscreensaver from being disabled, will force to blank */
                               p->mode == RANDOM_HACKS_SAME
                               ? "random-same"
                               : "random");

    The find the function called load_init_file and change the line:

    else if (s && !strcasecmp (s, "off"))         p->mode = DONT_BLANK;

    to:

    else if (s && !strcasecmp (s, "off"))         p->mode = BLANK_ONLY;

    Now find the aptly named function stop_the_insanity which sets some values of preferences back to sane values, such as a timeout > 15 seconds will be forced to 15 seconds. This is a good spot to make sure that when a user hand edits the .xscreensaver file instead of using xscreensaver-demo the values will not be used by xscreensaver, but our "sane" values will be used instead.

    In function stop_the_insanity add something like this, using your own values if you want. Note that values for time are seconds*1000. In the case user sets mode to "off" we already force it back to blank above.

    if (p->timeout > 600000) p->timeout = 600000;
if (p->lock_timeout > 0) p->lock_timeout = 0;
if (! p->lock_p) p->lock_p = True;

    With regards to creating .xscreensaver with root ownership upon initial login, I think that is not really possible or advisable. You can create a script in /etc/profile.d which will create an empty .xscreensaver upon user login. But the above mentioned change makes that unnecessary.

    • 0