vlock command

vlock command

[Karel Zak]

 vlock(1) - Virtual Console lock program

This nice and small program used by admins on machines with consoles
only. Unfortunately it has inactive upstream(s).

The original upstream for vlock-1.3 at

    ftp://tsx-11.mit.edu:/pub/linux/sources/usr.bin/

is inactive for years. There is also new upstream at

   http://freecode.com/projects/vlock
   http://repo.or.cz/w/vlock.git

but this also seems inactive and from my point of view vlock-2.x is
over-engineering rhapsody (glib, plug-ins, dependences resolver,
external scripts etc.)

What about to merge vlock-1.3 into utils-linux? It's 630 lines of code
(including unnecessary non-PAM code).

Comments & Objections?

    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: vlock command

[Alexey Gladkov]

14.11.2012 14:35, Karel Zak wrote:
> 
>  vlock(1) - Virtual Console lock program
> 
> This nice and small program used by admins on machines with consoles
> only. Unfortunately it has inactive upstream(s).
> 
> The original upstream for vlock-1.3 at
> 
>     ftp://tsx-11.mit.edu:/pub/linux/sources/usr.bin/
> 
> is inactive for years. There is also new upstream at
> 
>    http://freecode.com/projects/vlock
>    http://repo.or.cz/w/vlock.git
> 
> but this also seems inactive and from my point of view vlock-2.x is
> over-engineering rhapsody (glib, plug-ins, dependences resolver,
> external scripts etc.)
> 
> What about to merge vlock-1.3 into utils-linux? It's 630 lines of code
> (including unnecessary non-PAM code).
> 
> Comments & Objections?
> 

We have another version of vlock, which is being supported by Dmitry
V. Levin.

http://git.altlinux.org/people/ldv/packages/vlock.git

Some time ago, I have merged this version in kbd project:

http://git.altlinux.org/people/legion/packages/kbd.git?p=kbd.git;a=tree;f=src/vlock;h=92419b98175d215a71f83bfb06b409daa97b13c4;hb=768b8c314e1d3c465d895b206da4aa4543914d1d

I have a collection of utilities for manipulation in console (openvt,
chvt, deallocvt ...) I consider logical to have the utility for
terminal blocking.

What do you think ?

-- 
Rgrds, legion

Re: vlock command

[Karel Zak]

On Wed, Nov 14, 2012 at 03:04:56PM +0400, Alexey Gladkov wrote:
> 14.11.2012 14:35, Karel Zak wrote:
> > 
> >  vlock(1) - Virtual Console lock program
> > 
> > This nice and small program used by admins on machines with consoles
> > only. Unfortunately it has inactive upstream(s).
> > 
> > The original upstream for vlock-1.3 at
> > 
> >     ftp://tsx-11.mit.edu:/pub/linux/sources/usr.bin/
> > 
> > is inactive for years. There is also new upstream at
> > 
> >    http://freecode.com/projects/vlock
> >    http://repo.or.cz/w/vlock.git
> > 
> > but this also seems inactive and from my point of view vlock-2.x is
> > over-engineering rhapsody (glib, plug-ins, dependences resolver,
> > external scripts etc.)
> > 
> > What about to merge vlock-1.3 into utils-linux? It's 630 lines of code
> > (including unnecessary non-PAM code).
> > 
> > Comments & Objections?
> > 
> 
> We have another version of vlock, which is being supported by Dmitry
> V. Levin.
> 
> http://git.altlinux.org/people/ldv/packages/vlock.git

 it seems the same code as the original vlock-1.3

> Some time ago, I have merged this version in kbd project:
> 
> http://git.altlinux.org/people/legion/packages/kbd.git?p=kbd.git;a=tree;f=src/vlock;h=92419b98175d215a71f83bfb06b409daa97b13c4;hb=768b8c314e1d3c465d895b206da4aa4543914d1d
> 
> I have a collection of utilities for manipulation in console (openvt,
> chvt, deallocvt ...) I consider logical to have the utility for
> terminal blocking.
> 
> What do you think?

 Well, vlock is mostly about authentication, but I have no strong
 opinion about it -- we can keep it in kbd as well.

    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: vlock command

[Karel Zak]

On Wed, Nov 14, 2012 at 03:04:56PM +0400, Alexey Gladkov wrote:
> We have another version of vlock, which is being supported by Dmitry
> V. Levin.
> 
> http://git.altlinux.org/people/ldv/packages/vlock.git

 Alexey, just today I added --erase option to Fedora version. Maybe
 you can apply the patch below to your repository too. Author of the
 patch is Petr Pisar <ppisar@redhat.com>.

    Karel


diff -up vlock-1.3/help.c.kzak vlock-1.3/help.c
--- vlock-1.3/help.c.kzak	2012-11-14 11:12:08.378692002 +0100
+++ vlock-1.3/help.c	2012-11-14 11:13:10.038998321 +0100
@@ -26,6 +26,7 @@ void print_help(int exitcode) {
 	  "       switch to other virtual consoles.\n"
 	  "-a or --all: lock all virtual consoles by preventing other users\n"
 	  "       from switching virtual consoles.\n"
+	  "-e or --erase: erase current virtual console content\n"
 	  "-v or --version: Print the version number of vlock and exit.\n"
 	  "-h or --help: Print this help message and exit.\n"
 	  );
diff -up vlock-1.3/vlock.1.kzak vlock-1.3/vlock.1
--- vlock-1.3/vlock.1.kzak	1999-01-14 01:19:14.000000000 +0100
+++ vlock-1.3/vlock.1	2012-11-14 11:12:58.745935657 +0100
@@ -38,6 +38,10 @@ Lock all console sessions and disable VC
 .IP
 Lock the current session (this is the default).
 .PP
+.B -e,--erase
+.IP
+Erase current console content to prevent from leaking sensitive data.
+.PP
 .B -h,--help
 .IP
 Print a brief help message.
diff -up vlock-1.3/vlock.c.kzak vlock-1.3/vlock.c
--- vlock-1.3/vlock.c.kzak	2012-11-14 11:12:08.379692007 +0100
+++ vlock-1.3/vlock.c	2012-11-14 11:12:58.745935657 +0100
@@ -29,6 +29,9 @@
   /* This determines whether the default behavior is to lock only the */
   /* current VT or all of them.  0 means current, 1 means all. */
   int o_lock_all = 0;
+  /* This determines whether to erase terminal content after the locking.
+   * 0 means do not erase, 1 means to erase. */
+  int o_erase_terminal = 0;
 
 /* Other globals */
   struct vt_mode ovtm;
@@ -41,6 +44,7 @@ int main(int argc, char **argv) {
   static struct option long_options[] = { /* For parsing long arguments */
     {"current", 0, &o_lock_all, 0},
     {"all", 0, &o_lock_all, 1},
+    {"erase", no_argument, &o_erase_terminal, 1},
     {"version", no_argument, 0, O_VERSION},
     {"help", no_argument, 0, O_HELP},
     {0, 0, 0, 0},
@@ -51,7 +55,7 @@ int main(int argc, char **argv) {
   char *env;
 
   /* First we parse all the command line arguments */
-  while ((c = getopt_long(argc, argv, "acvh",
+  while ((c = getopt_long(argc, argv, "acevh",
 			  long_options, &option_index)) != -1) {
     switch(c) {
     case 'c':
@@ -60,6 +64,9 @@ int main(int argc, char **argv) {
     case 'a':
       o_lock_all = 1;
       break;
+    case 'e':
+      o_erase_terminal = 1;
+      break;
     case 'v':
     case O_VERSION:
       fprintf(stderr, VERSION);
@@ -116,6 +123,12 @@ int main(int argc, char **argv) {
     ioctl(vfd, VT_SETMODE, &vtm);
   }
 
+  /* Erase console. 2J erases display; 3J, since Linux 3.0, erases scroll-back
+   * buffer too. */
+  if (o_erase_terminal) {
+    puts("\E[3J\E[2J");
+  }
+
   /* get_password() sets the terminal characteristics and does not */
   /* return until the correct password has been read.              */
   get_password();

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: vlock command

[Alexey Gladkov]

14.11.2012 16:26, Karel Zak wrote:
> On Wed, Nov 14, 2012 at 03:04:56PM +0400, Alexey Gladkov wrote:
>> We have another version of vlock, which is being supported by Dmitry
>> V. Levin.
>>
>> http://git.altlinux.org/people/ldv/packages/vlock.git
> 
>  Alexey, just today I added --erase option to Fedora version. Maybe
>  you can apply the patch below to your repository too. Author of the
>  patch is Petr Pisar <ppisar@redhat.com>.

Sure.

-- 
Rgrds, legion

Re: vlock command

[Dmitry V. Levin]

[-- Attachment #1: Type: text/plain, Size: 543 bytes --]

On Wed, Nov 14, 2012 at 01:26:10PM +0100, Karel Zak wrote:
> On Wed, Nov 14, 2012 at 03:04:56PM +0400, Alexey Gladkov wrote:
> > We have another version of vlock, which is being supported by Dmitry
> > V. Levin.
> > 
> > http://git.altlinux.org/people/ldv/packages/vlock.git
> 
>  Alexey, just today I added --erase option to Fedora version. Maybe
>  you can apply the patch below to your repository too. Author of the
>  patch is Petr Pisar <ppisar@redhat.com>.

The first vlock RFE for ages!  Alexey, please apply.


-- 
ldv

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: vlock command

[Dmitry V. Levin]

[-- Attachment #1: Type: text/plain, Size: 1206 bytes --]

On Wed, Nov 14, 2012 at 01:22:07PM +0100, Karel Zak wrote:
> On Wed, Nov 14, 2012 at 03:04:56PM +0400, Alexey Gladkov wrote:
> > http://git.altlinux.org/people/ldv/packages/vlock.git
> 
>  it seems the same code as the original vlock-1.3

It was surely based on the same vlock-1.3 code, and it has essentially the
same features list, but it's hardly the same code. :)

> > Some time ago, I have merged this version in kbd project:
> > 
> > http://git.altlinux.org/people/legion/packages/kbd.git?p=kbd.git;a=tree;f=src/vlock;h=92419b98175d215a71f83bfb06b409daa97b13c4;hb=768b8c314e1d3c465d895b206da4aa4543914d1d
> > 
> > I have a collection of utilities for manipulation in console (openvt,
> > chvt, deallocvt ...) I consider logical to have the utility for
> > terminal blocking.
> > 
> > What do you think?
> 
>  Well, vlock is mostly about authentication,

About authentication?  Well, could you then explain why do you keep that
7 year old vlock-1.3-morepam.patch from Nalin in Fedora vlock package?
It does something unnatural for vlock, e.g. pam_acct_mgmt and even
pam_setcred!  At the same time, the only module in its account stack is
pam_permit.so.  Weird.


-- 
ldv

[-- Attachment #2: Type: application/pgp-signature, Size: 198 bytes --]

Re: vlock command

[Alexey Gladkov]

15.11.2012 03:31, Dmitry V. Levin wrote:
> On Wed, Nov 14, 2012 at 01:26:10PM +0100, Karel Zak wrote:
>> On Wed, Nov 14, 2012 at 03:04:56PM +0400, Alexey Gladkov wrote:
>>> We have another version of vlock, which is being supported by Dmitry
>>> V. Levin.
>>>
>>> http://git.altlinux.org/people/ldv/packages/vlock.git
>>
>>  Alexey, just today I added --erase option to Fedora version. Maybe
>>  you can apply the patch below to your repository too. Author of the
>>  patch is Petr Pisar <ppisar@redhat.com>.
> 
> The first vlock RFE for ages!  Alexey, please apply.

Dmitry, I mistakenly did not add you in the Cc. I wrote Karel that
similar functionality you have already implemented.
Here is my answer:

> On closer look I found out that the my version of vlock already erases
> display if we are on the virtual console:
> 
> http://git.altlinux.org/people/legion/packages/kbd.git?p=kbd.git;a=blob;f=src/vlock/screen.c;h=720d880080f9030553a32d625756b5e30c6d4266;hb=768b8c314e1d3c465d895b206da4aa4543914d1d#l37
> 
> http://git.altlinux.org/people/legion/packages/kbd.git?p=kbd.git;a=blob;f=src/vlock/vt.c;h=50746de238f5acc231d2ffef8a5604dfbef3cfad;hb=768b8c314e1d3c465d895b206da4aa4543914d1d#l194
> 
> As I understand you want a similar functionality. Is this enough for
> you, or you want to be able to clear the display regardless of conditions?


-- 
Rgrds, legion

Re: vlock command

[Karel Zak]

On Thu, Nov 15, 2012 at 10:44:47AM +0400, Alexey Gladkov wrote:
> 15.11.2012 03:31, Dmitry V. Levin wrote:
> > On Wed, Nov 14, 2012 at 01:26:10PM +0100, Karel Zak wrote:
> >
> >>  Alexey, just today I added --erase option to Fedora version. Maybe
> >>  you can apply the patch below to your repository too. Author of the
> >>  patch is Petr Pisar <ppisar@redhat.com>.
> > 
> > The first vlock RFE for ages!  Alexey, please apply.
> 
> Dmitry, I mistakenly did not add you in the Cc. I wrote Karel that
> similar functionality you have already implemented.
> Here is my answer:
> 
> > On closer look I found out that the my version of vlock already erases
> > display if we are on the virtual console:
> > 
> > http://git.altlinux.org/people/legion/packages/kbd.git?p=kbd.git;a=blob;f=src/vlock/screen.c;h=720d880080f9030553a32d625756b5e30c6d4266;hb=768b8c314e1d3c465d895b206da4aa4543914d1d#l37
> > 
> > http://git.altlinux.org/people/legion/packages/kbd.git?p=kbd.git;a=blob;f=src/vlock/vt.c;h=50746de238f5acc231d2ffef8a5604dfbef3cfad;hb=768b8c314e1d3c465d895b206da4aa4543914d1d#l194
> > 
> > As I understand you want a similar functionality. Is this enough for
> > you, or you want to be able to clear the display regardless of conditions?

 CC: to Petr, original author of the patch.


-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: vlock command

[Petr Pisar]

[-- Attachment #1: Type: text/plain, Size: 2074 bytes --]

On Thu, Nov 15, 2012 at 08:52:53AM +0100, Karel Zak wrote:
> On Thu, Nov 15, 2012 at 10:44:47AM +0400, Alexey Gladkov wrote:
> > 15.11.2012 03:31, Dmitry V. Levin wrote:
> > > On Wed, Nov 14, 2012 at 01:26:10PM +0100, Karel Zak wrote:
> > >
> > >>  Alexey, just today I added --erase option to Fedora version. Maybe
> > >>  you can apply the patch below to your repository too. Author of the
> > >>  patch is Petr Pisar <ppisar@redhat.com>.
> > > 
> > > The first vlock RFE for ages!  Alexey, please apply.
> > 
> > Dmitry, I mistakenly did not add you in the Cc. I wrote Karel that
> > similar functionality you have already implemented.
> > Here is my answer:
> > 
> > > On closer look I found out that the my version of vlock already erases
> > > display if we are on the virtual console:
> > > 
> > > http://git.altlinux.org/people/legion/packages/kbd.git?p=kbd.git;a=blob;f=src/vlock/screen.c;h=720d880080f9030553a32d625756b5e30c6d4266;hb=768b8c314e1d3c465d895b206da4aa4543914d1d#l37
> > > 
> > > http://git.altlinux.org/people/legion/packages/kbd.git?p=kbd.git;a=blob;f=src/vlock/vt.c;h=50746de238f5acc231d2ffef8a5604dfbef3cfad;hb=768b8c314e1d3c465d895b206da4aa4543914d1d#l194
> > > 
> > > As I understand you want a similar functionality. Is this enough for
> > > you,
It's similar but insufficient. The difference between your clear_str[]
= "\33[H\33[J" and my string is my way clears scroll-back buffer of Linux
virtual terminal too. This prevents from reading history using Shift-PgUp
while the terminal is locked. Read current console_codes(4) page, especially
search for word "buffer".

So what I ask is to prepend "\33[3J" to your clear_str[]. This even users with
older kernel not implementing this code get console cleared.

> or you want to be able to clear the display regardless of conditions?

If I understand the code correctly, you clear screen only if it's a virtual
terminal. I have no idea how usefull is vlock on other terminals (I use
"screen" there), so I do not request any change in this matter.

-- Petr

[-- Attachment #2: Type: application/pgp-signature, Size: 230 bytes --]

Re: vlock command

[Alexey Gladkov]

15.11.2012 12:48, Petr Pisar wrote:
> It's similar but insufficient. The difference between your clear_str[]
> = "\33[H\33[J" and my string is my way clears scroll-back buffer of Linux
> virtual terminal too. This prevents from reading history using Shift-PgUp
> while the terminal is locked. Read current console_codes(4) page, especially
> search for word "buffer".
> 
> So what I ask is to prepend "\33[3J" to your clear_str[]. This even users with
> older kernel not implementing this code get console cleared.

Sounds reasonable.

> If I understand the code correctly, you clear screen only if it's a virtual
> terminal. I have no idea how usefull is vlock on other terminals (I use
> "screen" there), so I do not request any change in this matter.

Ok. This is what I wanted to find out.

Guys, I want to release the new version of kbd next month. This will
be the first kbd release with the vlock. Do you have any more
suggestions on vlock?

-- 
Rgrds, legion

Re: vlock command

[Karel Zak]

On Thu, Nov 15, 2012 at 01:35:48PM +0400, Alexey Gladkov wrote:
> 15.11.2012 12:48, Petr Pisar wrote:
> > It's similar but insufficient. The difference between your clear_str[]
> > = "\33[H\33[J" and my string is my way clears scroll-back buffer of Linux
> > virtual terminal too. This prevents from reading history using Shift-PgUp
> > while the terminal is locked. Read current console_codes(4) page, especially
> > search for word "buffer".
> > 
> > So what I ask is to prepend "\33[3J" to your clear_str[]. This even users with
> > older kernel not implementing this code get console cleared.
> 
> Sounds reasonable.
> 
> > If I understand the code correctly, you clear screen only if it's a virtual
> > terminal. I have no idea how usefull is vlock on other terminals (I use
> > "screen" there), so I do not request any change in this matter.
> 
> Ok. This is what I wanted to find out.
> 
> Guys, I want to release the new version of kbd next month. This will
> be the first kbd release with the vlock. Do you have any more
> suggestions on vlock?

 Rename --enable-vlock to --disable-vlock and enable it by default :-)

    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: vlock command

[Alexey Gladkov]

15.11.2012 13:48, Karel Zak wrote:
>  Rename --enable-vlock to --disable-vlock and enable it by default :-)

No problem :)

-- 
Rgrds, legion

Re: vlock command

[Petr Pisar]

[-- Attachment #1: Type: text/plain, Size: 418 bytes --]

On Thu, Nov 15, 2012 at 01:35:48PM +0400, Alexey Gladkov wrote:
> Guys, I want to release the new version of kbd next month. This will
> be the first kbd release with the vlock. Do you have any more
> suggestions on vlock?
> 
Yes. Could you please internationalize vlock code (adding the setlocate(),
bindtextdomain(), textdomain(), and _() around all messages)? I'll be happy to
translate it then.

-- Petr

[-- Attachment #2: Type: application/pgp-signature, Size: 230 bytes --]

Re: vlock command

[Karel Zak]

On Thu, Nov 15, 2012 at 03:54:27AM +0400, Dmitry V. Levin wrote:

> Well, could you then explain why do you keep that
> 7 year old vlock-1.3-morepam.patch from Nalin in Fedora vlock package?

...to make it compatible with many others PAM applications. It's
common practice to use pam_authenticate() + pam_acct_mgmt() +
pam_setcred().  I don't think it's good idea to make any exceptions
from this practice.

You need pam_acct_mgmt() to check account validity, expiration etc.

> It does something unnatural for vlock, e.g. pam_acct_mgmt and even
> pam_setcred!  At the same time, the only module in its account stack is
> pam_permit.so.  Weird.

Well, it's only config file, $EDITOR /etc/pam.d/vlock is enough to
make your configuration more paranoid. It's definitely better to
support all the features by binary and define policies in config
files.

    Karel


-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: vlock command

[Alexey Gladkov]

15.11.2012 14:23, Petr Pisar wrote:
> On Thu, Nov 15, 2012 at 01:35:48PM +0400, Alexey Gladkov wrote:
>> Guys, I want to release the new version of kbd next month. This will
>> be the first kbd release with the vlock. Do you have any more
>> suggestions on vlock?
>>
> Yes. Could you please internationalize vlock code (adding the setlocate(),
> bindtextdomain(), textdomain(), and _() around all messages)? I'll be happy to
> translate it then.

Please check:

http://git.altlinux.org/people/legion/packages/kbd.git

-- 
Rgrds, legion

Re: vlock command

[Petr Pisar]

[-- Attachment #1: Type: text/plain, Size: 778 bytes --]

On Fri, Nov 16, 2012 at 02:01:43PM +0400, Alexey Gladkov wrote:
> 15.11.2012 14:23, Petr Pisar wrote:
> > On Thu, Nov 15, 2012 at 01:35:48PM +0400, Alexey Gladkov wrote:
> >> Guys, I want to release the new version of kbd next month. This will
> >> be the first kbd release with the vlock. Do you have any more
> >> suggestions on vlock?
> >>
> > Yes. Could you please internationalize vlock code (adding the setlocate(),
> > bindtextdomain(), textdomain(), and _() around all messages)? I'll be happy to
> > translate it then.
> 
> Please check:
> 
> http://git.altlinux.org/people/legion/packages/kbd.git
> 
It looks good. Once new catalog appears on the Translation Project, me or the
assigned translator will update Czech translation.

Thanks.

-- Petr

[-- Attachment #2: Type: application/pgp-signature, Size: 230 bytes --]