1OVERVIEW 2======== 3 4vlock is a denial of service tool. Linux allows any user logged into the 5virtual console to lock the system completely. vlock takes this one step 6further and potenially grants this ability (and potentially other, even more 7hazardous ones) to any user through the use of plugins. 8 9The default installation sets permission that allow only users in the vlock 10group to run dangerous modules. Others will still be able to lock their own 11console or terminal and run plugins that are considered secure. 12 13This behavior is configurabe through ./configure option or by editing 14config.mk. 15 16DETAILS 17======= 18 19vlock-main allows plugins to extend its functionality. These plugins are 20separated into two groups: modules and scripts. Both are only loaded from 21locations that are specified at compile time. It is extremely important that 22these directories are only writable by privileged users. 23 24MODULES 25------- 26 27Modules are shared objects that are loaded into vlock's address space. Because 28vlock will most likely be installed setuid-root care must be taken that these 29modules are secure themselves and that access to potentially dangerous modules 30is limited to trusted users. UNDER NO CIRCUMSTANCES MUST UNPRIVILEGED USERS BE 31ALLOWED TO PUT THEIR OWN MODULES INTO VLOCK'S MODULE DIRECTORY. Doing this 32would allowing them to run any code they want with elevated privileges, i.e. 33as root. 34 35SCRIPTS 36------- 37 38Scripts may be any kind of executables located in vlock's script directory. 39They are run with with lowered privileges, i.e. the same as the user who 40started vlock, in a separate process. They also don't have direct access to 41the terminal vlock runs on and thus may be considered a relatively secure 42alternative to modules. For any privileged operations they want to perform 43they have to use helpers such as sudo. Although less dangerous than modules 44vlock's script directory must still be protected the same as the module 45directory. 46