From: W. Trevor King Date: Sat, 10 Mar 2012 14:04:04 +0000 (-0500) Subject: Add Screen post discussing treehouse X. X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=ca0bde59b706ce7f7588be2c3785f03989aafff8;p=blog.git Add Screen post discussing treehouse X. --- diff --git a/posts/Screen.mdwn b/posts/Screen.mdwn new file mode 100644 index 0000000..62a6020 --- /dev/null +++ b/posts/Screen.mdwn @@ -0,0 +1,69 @@ +[Screen][] is a [ncurses][]-based terminal multiplexer. There are +tons of useful things you can do with it, and innumerable blog posts +describing them. I have two common use cases: + +* On my local host when I don't start X Windows, I login to a + virtual terminal and run `screen`. Then I can easily open several + windows (e.g. for [[Emacs]], [[Mutt], [[irssi]], …) without having + to log in on another virtual terminal. +* On remote hosts when I'm doing anything serious, I start `screen` + immediately aftering [[SSH]]-ing into the remote host. Then if my + connection is dropped (or I need to disconnect while I take the + train in to work), my remote work is waiting for me to pick up where + I left off. + +Treehouse X +=========== + +Those are useful things, but they are well covered by others. A few +days ago I though of a cute trick, for increasing security on my local +host, which lead me to finally write up a `screen` post. I call it +“treehouse X”. Here's the problem: + +You don't like waiting for X to start up when a virtual terminal is +sufficient for your task at hand, so you've set your box up without a +graphical login manager. However, sometimes you *do* need a graphical +interface (e.g. to use fancy characters via [[Xmodmap]] or the +[[Compose_key]]), so you fire up X with `startx`, and get on with your +life. But wait! You have to leave the terminal to do something else +(e.g. teach a class, eat dinner, sleep?). Being a security-concious +bloke, you lock your screen with [xlockmore][] (using your [[Fluxbox]] +[hotkeys][]). You leave to complete your task. While you're gone +Mallory sneaks into your lab. You've locked your X server, so you +think you're safe, but Mallory jumps to the virtual terminal from +which you started X (using `Ctrl-Alt-F1`, or similar), and kills your +`startx` process with `Ctrl-c`. Now Mallory can do evil things in +your name, like adding `export EDITOR=vim` to your `.bashrc`. + +So how do you protect yourself against this attack? Enter `screen` +and treehouse X. If you run `startx` from within a `screen` session, +you can jump back to the virtual terminal yourself, detach from the +sesion, and log out of the virtual terminal. This is equivalent to +climing into your treehouse (X) and pulling up your rope ladder +(`startx`) behind you, so that you are no longer vulnerable from the +ground (the virtual terminal). For kicks, you can reattach to the +screen session from an `xterm`, which leads to a fun chicken-and-egg +picture: + +[[!img treehouse-X.png + alt="startx → X → Xterm → Screen → startx cycle" + caption="startx → X → Xterm → Screen → startx cycle"]] + +Of course the whole situation makes sense when you realize that it's +really: + + $ pstree 14542 + screen───bash───startx───xinit─┬─X + └─fluxbox───xterm───bash───screen + +where the first `screen` is the server and the second `screen` is the +client. + +[screen]: http://www.gnu.org/software/screen/ +[ncurses]: http://www.gnu.org/software/ncurses/ +[xlockmore]: http://www.tux.org/~bagleyd/xlockmore.html +[hotkeys]: + http://git.tremily.us/?p=dotfiles-public.git;a=blob;f=src/.fluxbox/keys;hb=HEAD + +[!tag tags/tools] +[!tag tags/linux] diff --git a/posts/Screen/treehouse-X.png b/posts/Screen/treehouse-X.png new file mode 100644 index 0000000..0b3a8a1 Binary files /dev/null and b/posts/Screen/treehouse-X.png differ