15

Looks like it is easy to log keystrokes of all processes of the same user. A basic keylogger is 'xinput'.

xinput test-xi2

The command generates log of all key-presses. Unfortunately, this includes passwords in gnome-terminal. Googling suggested that grabbing keyboard may prevent other windows from capturing key strokes.

Is there a way to prevent XI2 logging in gnome-terminal? Or is there an X terminal that has this feature?

yanychar
  • 622

3 Answers3

13

It's not possible as any keystrokes passed on to the X server, will be available for xinput/any arbitrary program. (In fact, it's part of the design). New display servers like Wayland and Mir are fixing such security problems in X. The only real solution would be to use Wayland or Mir instead of X. This blog post details this issue.

Ramchandra Apte
  • 1,668
  • So input to gksu for password also goes to xinput? – yanychar Sep 24 '13 at 18:11
  • 1
    @yanychar yup, actually I found out about this method of key logging through this blog post: http://theinvisiblethings.blogspot.in/2011/04/linux-security-circus-on-gui-isolation.html (even I was surprised the first time I read the blog post) – Ramchandra Apte Sep 25 '13 at 04:20
  • 3
    X11 actually has untrusted mode which you can use to prevent programs from accessing "bad" extensions - https://www.x.org/wiki/Development/Documentation/Security/ – Michał Zieliński May 11 '16 at 13:49
  • I found out this is incorrect: i3lock-color somehow prevents sniffing the password that is being typed via xi2. – L29Ah Sep 23 '22 at 03:01
-2

Not really. Even if you somehow manage to grab the keyboard within X (I don't know whether this is even possible, I doubt that), a keylogger utility running as root will always have access to the keyboard.

January
  • 35,952
  • 4
    The command above grabs the keyboard within X without root privilege. So it is trivial to install a keylogger to an ubuntu desktop. The question is how to avoid this. – yanychar Jan 12 '13 at 15:45
-4

As others said here, it's not possible to protect only a program like gnome-terminal or other terminal from key logging, only if you restrict standard users to execute any key logger or if you stop/pause any key logger process.

Next I will show you how you can do these in case of xinput command, but the same methods can be used for any other key logger. If a key logger uses xinput command, it is not necessary to apply the method upon it as long as you apply it upon xinput.

1. Restrict standard users to use xinput command

You can restrict standard users to use xinput command using the following command:

sudo chmod go-x /usr/bin/xinput

2. Restrict standard users to use xinput command with test-xi2 argument

You can restrict standard users to use xinput command with test-xi2 argument by writing a wrapper for this command. To do this, go in terminal and follow the instructions below:

  • Get root privileges:

    sudo -i

  • Move xinput file in another directory which is not in any user's PATH (for example /opt):

    mv /usr/bin/xinput /new/path/to/xinput

  • Create your wrapper for xinput command in /usr/bin:

    gedit /usr/bin/xinput

    Add the following script inside:

    #!/bin/bash
if [ "$@" != "${@/test-xi2/}" -a "$(whoami)" != "root" ]; then
    echo "`basename $0` $@: Permission denied"
else
    /new/path/to/xinput $@
fi

    Save the file and close it.

  • Make the new wrapper executable:

    chmod +x /usr/bin/xinput

While first method is safety, using second method, the user may still circumvent it by calling the original xinput directly if he know its new location.

3. Stop/pause any xinput process

You can stop or pause any xinput process before to enter a password or anything else that you don't want to be logged. To do this, add the following bash function at the end of your ~/.bashrc file:

processof () {
    xinput_pids=" $(pidof $1) "
    if [ "$xinput_pids" = "  " ]; then
        echo "Nothing to stop/pause/continue. $1: no such process!"
        return
    fi
    for pid in $xinput_pids; do
        case $2 in
        "stop") 
            kill $pid
            echo "$1: stopped"
            ;;
        "pause")
            kill -stop $pid
            echo "$1: paused"   
            ;;
        "continue")
            kill -cont $pid
            echo "$1: continue"
            ;;
        *)
            echo "$1 is runnig"
            ;;
        esac
    done
}

Now, after you reopen your terminal, anytime you want, using this function you can:

  • stop/kill all xinput processes:

    processof xinput stop

  • pause all xinput processes:

    processof xinput pause

  • resume all xinput processes:

    processof xinput continue

In fact, with this function you can stop/pause any process do you wish before to do something (such as entering the password):

processof [process_name] [stop|pause|continue]

If you don't know how to detect how to detect an active keylogger on your system, see:

These methods maybe are not the best solutions, but I hope to give you an idea about what you can do...

Community
  • 1
Radu Rădeanu
  • 169,590
  • 5
    xinput is just an example of a keylogger. The question is about protecting input from every possible keylogger. – yanychar Sep 24 '13 at 18:13
  • @yanychar This was just an example about how you can restrict the access to xinput. In the same manner you can restrict the access to everything else thing that make you think that is a keylogger. If you are the administrator of the system, nothing can stop you doing this. In fact you should know everything that moves in your system. – Radu Rădeanu Sep 24 '13 at 18:50
  • 5
    Any program can connect to the X server through sockets and keylog, it's not even required that the key logger uses an external program. – Ramchandra Apte Sep 25 '13 at 04:21
  • @RamchandraApte So, where is the problem? – Radu Rădeanu Sep 25 '13 at 04:31
  • 3
    @RaduRădeanu your solution is ineffective and useless. xinput isn't even SUID (-rwxr-xr-x 1 root root 48504 Aug 15 2012 /usr/bin/xinput) – Ramchandra Apte Sep 25 '13 at 04:32
  • @RamchandraApte What make you think this? – Radu Rădeanu Sep 25 '13 at 04:33
  • 1
    @RaduRădeanu Because you don't need xinput to keylog. (it doesn't need an external command nor does the malicious program need to be SUID) your solution will simply allow one to control the execution of xinput – Ramchandra Apte Sep 25 '13 at 04:34
  • let us continue this discussion in chat – Ramchandra Apte Sep 25 '13 at 04:36
  • @RamchandraApte You didn't read with attention the answer. These methods have been given as examples for xinput. But any process can be used instead. Or what do you want to said: that there are hidden processes which can not be found? – Radu Rădeanu Sep 25 '13 at 04:46
  • 3
    The most basic example to prove it ineffective: Copy a stock version of (ubuntu) xinput from a usb stick, download it from web or e-mail it to yourself and run it in your home folder. Same effect as using the unrestricted /usr/bin/xinput. – allo Apr 17 '18 at 13:36