--- /dev/null
+[Screen][] is a [ncurses][]-based terminal multiplexer. There are
+tons of useful things you can do with it, and innumerable blog posts
+describing them. I have two common use cases:
+
+* On my local host when I don't start X Windows, I login to a
+ virtual terminal and run `screen`. Then I can easily open several
+ windows (e.g. for [[Emacs]], [[Mutt], [[irssi]], …) without having
+ to log in on another virtual terminal.
+* On remote hosts when I'm doing anything serious, I start `screen`
+ immediately aftering [[SSH]]-ing into the remote host. Then if my
+ connection is dropped (or I need to disconnect while I take the
+ train in to work), my remote work is waiting for me to pick up where
+ I left off.
+
+Treehouse X
+===========
+
+Those are useful things, but they are well covered by others. A few
+days ago I though of a cute trick, for increasing security on my local
+host, which lead me to finally write up a `screen` post. I call it
+“treehouse X”. Here's the problem:
+
+You don't like waiting for X to start up when a virtual terminal is
+sufficient for your task at hand, so you've set your box up without a
+graphical login manager. However, sometimes you *do* need a graphical
+interface (e.g. to use fancy characters via [[Xmodmap]] or the
+[[Compose_key]]), so you fire up X with `startx`, and get on with your
+life. But wait! You have to leave the terminal to do something else
+(e.g. teach a class, eat dinner, sleep?). Being a security-concious
+bloke, you lock your screen with [xlockmore][] (using your [[Fluxbox]]
+[hotkeys][]). You leave to complete your task. While you're gone
+Mallory sneaks into your lab. You've locked your X server, so you
+think you're safe, but Mallory jumps to the virtual terminal from
+which you started X (using `Ctrl-Alt-F1`, or similar), and kills your
+`startx` process with `Ctrl-c`. Now Mallory can do evil things in
+your name, like adding `export EDITOR=vim` to your `.bashrc`.
+
+So how do you protect yourself against this attack? Enter `screen`
+and treehouse X. If you run `startx` from within a `screen` session,
+you can jump back to the virtual terminal yourself, detach from the
+sesion, and log out of the virtual terminal. This is equivalent to
+climing into your treehouse (X) and pulling up your rope ladder
+(`startx`) behind you, so that you are no longer vulnerable from the
+ground (the virtual terminal). For kicks, you can reattach to the
+screen session from an `xterm`, which leads to a fun chicken-and-egg
+picture:
+
+[[!img treehouse-X.png
+ alt="startx → X → Xterm → Screen → startx cycle"
+ caption="startx → X → Xterm → Screen → startx cycle"]]
+
+Of course the whole situation makes sense when you realize that it's
+really:
+
+ $ pstree 14542
+ screen───bash───startx───xinit─┬─X
+ └─fluxbox───xterm───bash───screen
+
+where the first `screen` is the server and the second `screen` is the
+client.
+
+[screen]: http://www.gnu.org/software/screen/
+[ncurses]: http://www.gnu.org/software/ncurses/
+[xlockmore]: http://www.tux.org/~bagleyd/xlockmore.html
+[hotkeys]:
+ http://git.tremily.us/?p=dotfiles-public.git;a=blob;f=src/.fluxbox/keys;hb=HEAD
+
+[!tag tags/tools]
+[!tag tags/linux]
projects / blog.git / commitdiff
