pin uxer It offers some important security benefits over the traditional startx(1) command.
Which?
"Which" is exactly my question. The quote is from FAQ
rvp nia You can switch VTs and ctrl+C the startx process to get a shell when the screen is locked
Option "DontVTSwitch" can help with that, but, in a kiosk-like setup, a user could get a shell just by exiting the main app.
exec startx
is a generally recommended way to startx
; when I run something in a tty
via exec
and then ^c
, I get logged out, so I get no shell access. Have I missed something?
https://wiki.parabola.nu/Start_X_at_Boot :
There is a significant security difference when using plain startx instead of a login manager. Thus you run startx from your shell you are always able to switch from X (usually on tt7) back to tty1 (Ctrl+Alt+F1
) and gain control over the user shell even when the screen is locked (e.g., via XScreenSaver, i3lock, etc.). A solution: replace exec startx
with exec nohup startx > .xlog & vlock
. This will start X, redirect the print out to ~/.xlog
and lock the shell. Of course you need to install vlock
first.
This I don't completely understand. How does one "gain control over the user shell" if while X
is running, the shell is busy, and when X
quits, the shell quits as well?
Why need a tty
locker?
There also is sx
, "a simple alternative to both xinit(1) and startx(1)", so I would extend the original question to:
xenodm
vs startx
vs sx
And, by now, only 1 concern has been expressed - shell access is potentially gainable, unless you wrap startx
with exec
(and maybe others like nohup
and add a tty
locker), but the FAQ says "benefits", in plural, so what are other benefits?