By default, CentOS v5 requires a user's password when the system wakes up from the screensaver. This can be disabled by each user, but how can I disable this system-wide? Many of my users forget to do this, which results in workstations being locked up. Bob
Joshua Baker-LePain
2011-Jan-19 19:46 UTC
[CentOS] How to disable screen locking system-wide?
On Wed, 19 Jan 2011 at 11:44am, Bob Eastbrook wrote> By default, CentOS v5 requires a user's password when the system wakes > up from the screensaver. This can be disabled by each user, but how > can I disable this system-wide? Many of my users forget to do this, > which results in workstations being locked up.Ctrl-Alt-Bksp will fix that right up. I'm not a big fan of users leaving workstations unsecured when they walk away. -- Joshua Baker-LePain QB3 Shared Cluster Sysadmin UCSF
On Thu, Jan 20, 2011 at 10:34 AM, Sorin Srbu <sorin.srbu at orgfarm.uu.se> wrote:>>-----Original Message----- >>From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On >>Behalf Of Joshua Baker-LePain >>Sent: Wednesday, January 19, 2011 8:47 PM >>To: CentOS mailing list >>Subject: Re: [CentOS] How to disable screen locking system-wide? >> >>> By default, CentOS v5 requires a user's password when the system wakes >>> up from the screensaver. ?This can be disabled by each user, but how >>> can I disable this system-wide? ?Many of my users forget to do this, >>> which results in workstations being locked up. >> >>Ctrl-Alt-Bksp will fix that right up. ?I'm not a big fan of users leaving >>workstations unsecured when they walk away. > > > Wouldn't that kill any programs, or whatever, the user has running? >Yup, and it totally defeats the purpose of what the OP actually wanted todo. Imagine your account being busy with your year-end books, and has to run to the toilet (she is a bit sick) now you come and press CTRL+ALT+Bksp and loose everything she's done. And, if she had a lot of invoices and statements already processed then she may need to redo it. Now, how do you explain to your boss that you just cost him another day with an expensive accountant because you're too ignorant to properly address the issue? -- Kind Regards Rudi Ahlers SoftDux Website: http://www.SoftDux.com Technical Blog: http://Blog.SoftDux.com Office: 087 805 9573 Cell: 082 554 7532
On Thu, Jan 20, 2011 at 7:55 AM, Sorin Srbu <sorin.srbu at orgfarm.uu.se> wrote:>>-----Original Message----- >>From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On >>Behalf Of Tom H >>Sent: Thursday, January 20, 2011 1:03 PM >>To: CentOS mailing list >>Subject: Re: [CentOS] How to disable screen locking system-wide? >> >> >>In our environment, leaving your desk without locking your >>computer/screen is punished with a disciplinary hearing and three such >>hearings result in dismissal. Having one person using another's >>account is considered a security risk. > > Sounds kinda' harsh. May I ask what industry this is in?Finance.>>I don't know the exact path but you can use gconftool-2 (or >>gconf-editor as a GUI) to set the screensaver not to lock (and mimick >>doing so by changing the screensaver preferences in >>"System-Preferences-Screensaver"). > > That's a per-user setting you describe, right?Yes but someone's posted a global gconftool-2 recipe.
On Jan 19, 2011, at 2:44 PM, Bob Eastbrook <baconeater789 at gmail.com> wrote:> By default, CentOS v5 requires a user's password when the system wakes > up from the screensaver. This can be disabled by each user, but how > can I disable this system-wide? Many of my users forget to do this, > which results in workstations being locked up. > > Bob > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos
On Jan 19, 2011, at 2:44 PM, Bob Eastbrook <baconeater789 at gmail.com> wrote:> By default, CentOS v5 requires a user's password when the system wakes > up from the screensaver. This can be disabled by each user, but how > can I disable this system-wide? Many of my users forget to do this, > which results in workstations being locked up.Let's try this again... KDE has a multi-user x login feature that allows another user to start a new session keeping the existing session active. It might take a little config mod'ing to get it working, but it works. It works best if there is lots of RAM. -Ross
> By default, CentOS v5 requires a user's password when the system wakes > up from the screensaver. ?This can be disabled by each user, but how > can I disable this system-wide? ?Many of my users forget to do this, > which results in workstations being locked up.Instead of removing the lock on your workstations (big security risk as others have mentioned), why not rather activate the 'user switch' button? If you really need to access a workstation, you can then log in as another user (e.g. admin user) and then do what you want (which may involve killing the guilty session). In gconf-editor, you find this option under: /apps/gnome-screensaver/user_switch_enabled You can then probably apply it system-wide using recommendations of this thread (I haven't tested it). I quickly scanned through the thread, so maybe somebody suggested that already, sorry for the repeat in that case. A bit OT, but something related that I discovered recently: you can explicitly start the screensaver (and thus the lock) with Ctrl+Alt+L (instead of looking for the button in the GNOME menu).
On Thursday, January 20, 2011 03:54:45 am Rudi Ahlers wrote:> Yup, and it totally defeats the purpose of what the OP actually wanted > todo. Imagine your account being busy with your year-end books, and > has to run to the toilet (she is a bit sick) now you come and press > CTRL+ALT+Bksp and loose everything she's done. And, if she had a lot > of invoices and statements already processed then she may need to redo > it. Now, how do you explain to your boss that you just cost him > another day with an expensive accountant because you're too ignorant > to properly address the issue?An IT admin should not be accessing the accountant's PC without the accountant or another financial person present, for control reasons (control in the financial, SCI, and auditing sense). There are significant regulatory compliance issues with your specific example.... :-) Just because it's company data doesn't mean it's open season for any IT admin to access. This is likely why CTRL-ALT-BACKSPACE is off by default, too. If the PC is another IT admin's PC, that's a different story. But even then there are significant accountability issues, as when workstations are left unlocked anyone can come up and then do something as that user. I understand what the OP wants to do, but honestly I think it's a bad idea to do it. If the setting is changed it should be on a per-user basis, since at that point the user can know about it, and there is a degree of informed consent there. There may be a knob to do it, but I think there could be liability issues for tweaking that knob, which essentially changes all user's preferences without their informed consent. I know that I would not do this in my environment, because I don't want that liability. But it definitely depends upon your specific environment. And, yes, users need to log out, and many places do fairly harsh discipline if a workstation isn't either locked or logged out in the user's absence.
On Thursday, January 20, 2011 06:02:38 am Giles Coochey wrote:> Data and Accounts are distinct, and the policies regarding their use > should be distinct too.+1. The third 'A' of triple-A (AAA) is accountability. If you share accounts you defeat accountability. This has nothing to do with data access, or user home directory data access; yes, there should be mechanisms in place for monitoring. But those mechanisms need their own accountability, too. The access should be done only by an account authorized to do so. Without accountability, authentication and authorization don't mean a whole lot.
On Thursday, January 20, 2011 09:36:09 am Ross Walker wrote:> With Amazon's cloud services now I guess they'll have to cut it down to 7 days, or require finger print or retinal eye scans...Fingerprints are too easily faked. Mythbusters did it in a 'Crime and Mythdemeanors' episode a few years ago.
And in those nine years you claim to have had at least one major security incident. It beggars my belief.... You now publicly declare that your company not just advocates the sharing of passwords, but certainly encourages it, if not make it compulsory. If you were to have another security incident you would probably be hard pressed to be able to point the finger at anyone, especially as your lax security procedures are now public knowledge. Troll? Sorry for top posting Sent from my HTC Smartphone ----- Reply message ----- From: "Rudi Ahlers" <Rudi at SoftDux.com> Date: Thu, Jan 20, 2011 17:44 Subject: [CentOS] How to disable screen locking system-wide? To: "CentOS mailing list" <centos at centos.org> On Thu, Jan 20, 2011 at 6:29 PM, Giles Coochey <giles at coochey.net> wrote:> On 20/01/2011 17:11, Rudi Ahlers wrote: >> >> The message I'm trying to bring across is that users in the company >> shouldn't have passwords which admin doesn't know, or can't access. >> The PC's and data, well at least in our company, is the property of >> the company. Making it more difficult for an engineer to gain access >> to a user's PC automatically arises suspicion >> > > Hi Rudi, > > Your stance on this is counter-intuitive to me, are you able to cite any > good reference which recommends that administrators know user passwords? > > --No, I can't. But I've been running a hosting & development company for 9 years now and this is the first problem I get out of the way right on the first day of an employees job. I'm personally involved in the accounts department (when I actually get time) since I want to know what goes on in my company. I also work close with the developers when needed. We trust everyone in the office, and being it an open-plan office, it's easy to see if someone is at someone else's desk when they're not supposed to be. Staff logoff and shutdown every night, so that's not an issue. But, it is a big issue when a staff member goes on leave, or even just on lunch and switch-off their cellphones and I can't get hold of them to get a password to login to a PC if I need to. The account PC, for that matter is encrypted, with no network access so one needs to be in front if it to access the data. User accounts also doesn't mean much to me. I know how it sounds, but I care more about the data than the user's account. As long as I can access whatever I want, whenever I want. -- Kind Regards Rudi Ahlers SoftDux Website: http://www.SoftDux.com Technical Blog: http://Blog.SoftDux.com Office: 087 805 9573 Cell: 082 554 7532 _______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20110120/94bda978/attachment-0002.html>
m.roth at 5-cent.us
2011-Jan-20 18:37 UTC
[CentOS] How to disable screen locking system-wide?
Giles Coochey wrote:> And in those nine years you claim to have had at least one major security > incident. > It beggars my belief.... > From: "Rudi Ahlers" <Rudi at SoftDux.com> > On Thu, Jan 20, 2011 at 6:29 PM, Giles Coochey <giles at coochey.net> wrote: >> On 20/01/2011 17:11, Rudi Ahlers wrote:<snip>> I'm personally involved in the accounts department (when I actually > get time) since I want to know what goes on in my company. I also work > close with the developers when needed. We trust everyone in the > office, and being it an open-plan office, it's easy to see if someone > is at someone else's desk when they're not supposed to be.<snip> Another reason I'd only work for you if I had no other options: I've worked in a pretty-much "open plan" office, and *LOATHE* it. Not only *zero* privacy, but *far* too much noise and distraction to concentrate. I remember working at the Scummy Mortgage Co (name available upon request) many years ago, with five desks, and the sr programmer and the analyst on the phone 60% or 70% of the time. I had a tape player, to listen to some training tapes; when I'd finished them, I put in some music. My boss came by, asked if I was done the training, and I told him I had music on, to make it easier to concentrate and increase my productivity. He told me to take them off and increase my productivity. Open-plan office, *crap*. Do the managers or execs work in them, too? mark
On Thursday, January 20, 2011 03:11:00 pm Mike McCarty wrote:> That does not preclude access to the machine's content. Anyone > with root access should be able to do that. You shouldn't > have to log in AS THAT USER in order to access the computer's > content.Although I have seen in the case of Windows, installed to NTFS, and set with 'make your files private' when you first set up a password, that if even if you log in as Administrator you can't necessarily see all users' files, at least not through file sharing. It has been a long time since I've put that to the test on the local console. Makes it a pain to do whole machine virus scans from the Administrator account, and makes it a bigger pain to do backups using the semi-documented $ shares when file sharing is enabled in the firewall. I've never experienced that on Linux, but it is possible to set up the SELinux policy in a way that 'ordinary' root can't do everything, that you have to be in a different context.
On Thu, Jan 20, 2011 at 12:45 PM, Giles Coochey <giles at coochey.net> wrote:> > And in those nine years you claim to have had at least one major security > incident. > It beggars my belief.... > You now publicly declare that your company not just advocates the sharing of > passwords, but certainly encourages it, if not make it compulsory. > If you were to have another security incident you would probably be hard > pressed to be able to point the finger at anyone, especially as your lax > security procedures are now public knowledge. > > Troll?I don't think that he's a troll; he's posted many times here in the past. He's probably never worked in a properly-structured environment and he'll change his mind the day that some servers are killed, intentionally or not, and admins'll point fingers at each other because everyone can logon as everyone else.
Seemingly Similar Threads
- OT: looking for system Rescue CD with LSI MegaRAID 8708EM2 drivers pre-installed
- Accounting package recommendations
- Xen3.2 documentation?
- Re: unable to access Linux HVM via xm console - Couldnot read tty from store: No such file or directory
- preferred XEN dom0 OS