Skip to content
This repository has been archived by the owner on Nov 4, 2021. It is now read-only.

Commit

Permalink
Merge branch 'release-0.3'
Browse files Browse the repository at this point in the history
  • Loading branch information
sebastianriese committed Apr 24, 2018
2 parents 9e1bb08 + f8c11a9 commit 323469f
Show file tree
Hide file tree
Showing 16 changed files with 372 additions and 288 deletions.
16 changes: 14 additions & 2 deletions CHANGELOG
Original file line number Diff line number Diff line change
@@ -1,6 +1,18 @@
Release xxx:
• Enhancement: Make pyxtrlock conform to the XDG specification. Patch by
Cristian Ciupitu.
• Enhancement: Ship script to create an empty lock symbol. Patch by Alexander
Klink.
• Enhancement: Retry grabbing the keyboard as well as the mouse to
prevent issues when starting pyxtrlock from a keyboard shortcut.
Patch by Nils Ballmann.
• Enhancement: Support the XSS_SLEEP_LOCK_FD protocol implemented by
xss-lock with the option -l to inhibit standby/hibernate/... until
the the screen is locked.

Release 0.2 :
• Security: Check correctly for the result of the
xcb_grab_{pointer,keyboard} commands
xcb_grab_{pointer,keyboard} commands (CVE-2013-4427).
• Security: Limit length of buffered password to prevent memory exhaustion
(this is a real concern when attacked with custom hardware which
simulates most rapid keystrokes)
Expand All @@ -11,4 +23,4 @@ Release 0.2 :
Release 0.1:
• [#8] Security: Fixed a typo that could in some circumstances lead to a
crash after multiple failed authentication attempts. Thanks,
Paul Lhussiez.
Paul Lhussiez (CVE-2013-4426).
3 changes: 1 addition & 2 deletions MANIFEST.in
Original file line number Diff line number Diff line change
@@ -1,3 +1,2 @@
include COPYING CHANGELOG README.md
include tools/*.py tools/README
include make_default_lock.py
include bin/make_lock.py doc/make_lock.txt
66 changes: 49 additions & 17 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ pyxtrlock
``pyxtrlock`` is a rewrite of Ian Jackson's great ``xtrlock`` program using
modern libraries, most importantly the obsolete direct passwd/shadow
authentication has been replaced by today's
[PAM](http://en.wikipedia.org/wiki/Pluggabe_authentication_module) authentication
[PAM](https://en.wikipedia.org/wiki/Pluggable_authentication_module) authentication
mechanism, hence it also works on Fedora. Also, it's mostly written using
[XCB](http://xcb.freedesktop.org/) instead of Xlib, although some Xlib/XCB
interaction is still necessary. As soon as XCB can provide the required
Expand Down Expand Up @@ -38,6 +38,9 @@ dependencies:
$ cd python3-simplepam
$ sudo python3 setup.py install

Install pyxdg, which is available as python3-pyxdg or similar in most Linux
distributions.

Clone and install pyxtrlock:

$ git clone git://github.com/leonnnn/pyxtrlock.git
Expand All @@ -56,9 +59,34 @@ we recommend the ``xautolock`` tool. Just add something like
to your X autostart file to lock the screen with ``pyxtrlock`` after 5
minutes idle time. ``xautolock`` has many other useful features, see
its documentation. Most distributions provide an ``xautolock`` package
with a man page. An alternative to ``xautolock`` is the use of
[autolockd](https://github.com/zombofant/autolockd) which also
monitors for lid close and suspend events.
with a man page.

An modern alternative to ``xautolock`` is ``xss-lock`` which
integrates with ``systemd-logind`` and manages locking on idleness and
lid close events. ``pyxtrlock`` supports the ``XSS_SLEEP_LOCK_FD``
protocol used by ``xss-lock -l`` to delay system standby until the
screen is locked, the recommended way to start ``pyxtrlock`` with
``xss-lock`` is:

xss-lock -l -- pyxtrlock

to explicitly lock the screen use:

loginctl lock-session

Staying up-to-date
------------------
As pyxtrlock is a security tool, it is important to stay up-to-date with
security updates. We take security seriously and try to handle any
vulnerabilities quickly. However, our efforts are useless if the users
aren’t notified that updates are available, so if you use pyxtrlock, we
urge you to subscribe to
[the pyxtrlock mailing list](http://lists.zombofant.net/mailman/listinfo/pyxtrlock).
This list is likely very low traffic and will ensure you get
notifications of security updates in time.

We also appreciate any feedback you have regarding pyxtrlock on this
mailing list.

Bugs & Limitations
------------------
Expand All @@ -68,32 +96,36 @@ Although this is not a bug, please note that pyxtrlock does not
prevent a user from switching to a virtual terminal, so be advised to
always log out from your terminals.

The lenght of the password is limited to 100 KiB to prevent memory
The length of the password is limited to 100 KiB to prevent memory
exhaustion attacks. This limit can only be adapted in the source code.

The width and height of the cursor bitmaps is limited to 512 pixels
(primarily to protect the user from faulty cursor files). This limit
can be only adapted in the source code.

Please report any new bugs you may find to our
[Github issue tracker](https://github.com/leonnnn/pyxtrlock/issues).

Configuration
-------------
The padlock icon can be changed. It is stored as a
[pickle](http://docs.python.org/3/library/pickle.html) of a
dictionary, and the ``tools`` directory contains a tool for generating
cursors from image files.
The padlock icon can be changed. While the default lock is stored in
the source code, an alternative lock can be stored in one of the the
xdg data paths for pyxtrlock.

The default cursor file is placed at
``PREFIX/share/pyxtrlock/lock.pickle`` while the cursor file at
``~/.config/pyxtrlock/lock.pickle`` takes precedence if present.
The user configured lock is stored as a json file containing the
necessary information. ``bin/make_lock.py`` is a tool for generating
cursors from image files. See ``doc/make_lock.txt`` for the full
documentation of the tool.

*PLEASE NOTE:* The ``pickle`` file format is not designed to be
resistant against maliciously crafted files. Therfore do not open
``pickle`` files from untrusted sources as they may compromise your
system. The default padlock file is created on install (by
``make_default_lock.py``).
Note, that even though loading json does not allow arbitrary code
execution and the cursor data is checked for consistency, cursor files
should be created on your machine and should not be installed from
untrusted sources.

Requirements
------------
* [python3-simplepam](https://github.com/leonnnn/python3-simplepam)
* [pyxdg](http://freedesktop.org/Software/pyxdg)
* Python ≥ 3.0
* libxcb
* libxcb-image
Expand Down
Loading

0 comments on commit 323469f

Please sign in to comment.