[snip]
Is there a way to prevent a user from "emulating" a login screen (especially for the console)?
This is a difficult problem. You can't really tell if somebody emulates a login screen. You need to kill all processes accessing the console at the time before a password is entered by a user. Basically, only three ideas come into my mind whereas the last is the most suitable:
On X (xdm, kdm, gdm), the admin could remove the suid bit from the Xwrapper program (that runs the X-server, finally). Before the user logs on, he could kill the running X-server using the ctrl-alt-backspace method. Then a new X-server comes up, which can only be started as root
from (x|k|g)dm.
The second solution is using the sysrq (system request) magic from the kernel (v2.2+). sysrq-k kills all programs running on the current virtual console. Very handy at times if you play around with realtime stuff... :-) Downside: It is possible for a user to boot the machine and do other nasty stuff.
The last that comes into my mind is a small script or program that runs started by init and that kills all non-root (and possibly others) programs on the machine. It could be bound to ctrl-alt-del like the following (/etc/inittab):
ca::ctrlaltdel:/bin/fuser -k /dev/tty[1-6]
Unfortunately, this will be executed only once since init remembers that it did already. So this requires either a small init hack another line in /etc/inittab as well as a little shell script, looking like this:
ca::ctrlaltdel:/root/bin/camperkiller
/root/bin/camperkiller is:
#!/bin/sh # don't kill processes on tty7: X! /bin/fuser -k /dev/tty[1-6] # want X to be killed, too? Do it gracefully, no KILL signal! /bin/fuser -k -TERM /dev/tty7 /bin/sleep 2 /sbin/init U
Thanks a lot! It works great. Except that you can remap Alt and then Ctrl-Alt-Del no longer works on the console. Maybe it still does for X (have not tried that).
This works quite nicely. Since the X-server starts up, it changes VT. So upon X-setup (/usr/X11R6/lib/X11/xdm/Xsetup), you could use `chvt 2´ and display a message there that the users should hit ctrl-alt-del (do this in /etc/issue!).
Michael Roman.
Thanks, Michael