pin uxer It offers some important security benefits over the traditional startx(1) command.
"Which" is exactly my question. The quote is from FAQ
rvp nia You can switch VTs and ctrl+C the startx process to get a shell when the screen is locked
Option "DontVTSwitch" can help with that, but, in a kiosk-like setup, a user could get a shell just by exiting the main app.
exec startx is a generally recommended way to
startx; when I run something in a
exec and then
^c, I get logged out, so I get no shell access. Have I missed something?
There is a significant security difference when using plain startx instead of a login manager. Thus you run startx from your shell you are always able to switch from X (usually on tt7) back to tty1 (
Ctrl+Alt+F1) and gain control over the user shell even when the screen is locked (e.g., via XScreenSaver, i3lock, etc.). A solution: replace
exec startx with
exec nohup startx > .xlog & vlock. This will start X, redirect the print out to
~/.xlog and lock the shell. Of course you need to install
This I don't completely understand. How does one "gain control over the user shell" if while
X is running, the shell is busy, and when
X quits, the shell quits as well?
Why need a
There also is
sx, "a simple alternative to both xinit(1) and startx(1)", so I would extend the original question to:
And, by now, only 1 concern has been expressed - shell access is potentially gainable, unless you wrap
exec (and maybe others like
nohup and add a
tty locker), but the FAQ says "benefits", in plural, so what are other benefits?