OVERVIEW
========

vlock is a denial of service tool.  Linux allows any user logged into the
virtual console to lock the system completely.  vlock takes this one step
further and grants this ability to any user who is able to run the vlock-new
program.

The default installation sets permission that allow any user to run vlock-new
and is therefore insecure.  If you have a notion of trusted users it is
possible to set the VLOCK_GROUP variable while installing vlock like so::

  make VLOCK_GROUP=vlock install

This way only members of the vlock group will be able to lock the machine
completely.  Others will still be able to lock their own console or terminal.

Another possibility is to install vlock with the VLOCK_GROUP set to root and
allow use of vlock through tools like sudo.  This approach, however, does not
bring much advantage over the previous group based one.

In the future the vlock-new optionally protected through PAM.

Setting VLOCK_GROUP also affects vlock-nosysrq.

DETAILS
=======

vlock-current
-------------

This tool does the user authentication.  Once started it only exits when proper
authentication was received.

Depending on the system configuration it probably needs read access to
/etc/shadow.  It may be possible to install it without any special permissions.
Installing as a setuid-root program should be safe, though.

vlock-all
----------

This tool disables console switching while running vlock-current.

Disabling console switching is an unpriviledged operation in Linux.  Therefore
this tool does not need any special permissions.

vlock-new
---------

This tool switches to a new console and runs vlock-all there.  It is similar to
using openvt(1) but much simpler.

To access the new virtual console vlock-new needs permissions on /dev/ttyXX.
It must therefore be installed as a setuid-root program.

vlock-nosysrq
-------------

This tool disables the magic SysRQ key while running vlock-all or vlock-new.

To access the according sysctl file at /proc/sys/kernel/sysrq it should be
installed as a setuid-root program.
