This is a fork of a fork of slock from which we take inspiration for some sound security options but then actually take it back towards a more simplicistic approach (more like original slock's) but with some added configuration capabilities.
All configuration is done in the config.h
file.
To get started just make a copy of config.h.def
into
config.h
, which you can then edit before compiling.
cd tlock
cp config.h.def config.h
Colors are fully customizable from the config file.
You can choose colors for the initial lock screen, as well as for the screen while typing the password, after a bad password attempt and for the cursor.
You can add a custom text message through the PRINT_MSG
value in config.h
. FONT_COLOR is an #RRGGBB hex value
and FONT_NAME is an XLFD font name
which sucks and you're never going to understand it fully.
You can optionally enable transparency on your lock screen. In the config, just set TRANSPARENCY to 1.
Note: if the screen just goes black or if this is otherwise not working as expected, you need to ensure that you are running a composite manager.
To hide the cursor instead just set the HIDE_CURSOR flag to 1.
You can add a background blur using a compositor. For instance in picom:
blur: {
method = "dual_kawase";
strength = 5;
background = true;
background-frame = true;
background-fixed = true;
}
# Exclude conditions for background blur.
# blur-background-exclude = []
blur-background-exclude = [
"window_type = 'dock'",
"window_type = 'desktop'",
"_GTK_FRAME_EXTENTS@:c",
"class_g = 'Dunst'"
];
This will blur all backgrounds on translucent ARGB windows, expect for those in the exclude rule. This might improve readability and also appearance according to one's preference, but will generally have a lesser impact on most windows since they tend to render with high opacity values. tlock can be set to be fully transparent, achieving a powerful background blur.
tlock will try to match your user login password by default.
You can choose to set a custom password by storing it in a specific file.
mkdir ~/.config/tlock
cd ~/.config/tlock
echo my_psw > passwd
chmod 600 passwd
You should also set the CONFIG_DIR and PASSWD constants so they point to the preferred location. These shown here are the default values, so you only need to uncomment the flags (if they are commented) to use them, but otherwise you can point them to any file.
Since I couldn't bear having to type the same password when I only had one free hand rather than two and vice versa, you can now add multiple newline separated passwords (one per line) like so:
echo foo >> passwd
echo bar >> passwd
You can play a sound alarm on any incorrect password
attempt. By default the program uses play
to generate a synth
sound. play can be
found in the sox
package, available on most distros community
repo, but you can set the custom
sound file flag to play any audio file on your computer
instead.
You can set an automatic shutdown after a certain number of tries, or if a CTRL+ALT+F1-13 or ALT+SYSRQ key sequence is recognized, trying to switch the tty or to kill X.
Number of tries and options such as disabling CTRL+ALT+Backspace and other ways to kill the X server during shutdown are all configurable in the config file.
Automatic shutdown requires sudo privileges to be set in your sudoers file. Open the file for writing with:
visudo
Then add the following lines:
# Options for poweroff
[username] [hostname]= NOPASSWD: /usr/bin/systemctl poweroff
[username] [hostname]= NOPASSWD: /usr/bin/shutdown -h now
# SYSRQ options
[username] [hostname] =NOPASSWD: /usr/bin/tee /proc/sys/kernel/sysrq
Where [username] and [hostname] are your username (or a
user group such as %wheel
) and hostname (or use ALL=
to refer to any host) on the machine respectively.
You can combine this feature with a BIOS password as well as encrypted home and swap partitions. Meaning that once your machine is shut off, your data is no longer accessible in any way.
To ensure the OOM-killer is disabled, sudo can be used internally. This requires another sudoers option:
[username] [hostname]= NOPASSWD: /usr/bin/tee /proc/[0-9][0-9]*/oom_score_adj
However, this is not recommended as now any process can
modify the oom_score
for any other process.
GRSecurity support for Arch was dropped so we removed the feature and currently have no option to deal with this.
You can enable the option to take a webcam shot of whoever is tampering with your machine before shutdown. A fun little trick legacy from chjj's work.
Requires ffmpeg.
In order to build tlock you need the Xlib header files.
Potential runtime deps (depending on options set and configuration): sudo, ffmpeg, setxkbmap, sox.
First you need to clone this repo on your machine:
git clone https://github.com/cherrynoize/tlock
You can then edit the config.mk
file before you compile
the package to best suit your needs. By default it will be
installed as /usr/local/bin/tlock
, but you can edit
the make config to install to any other location of your choosing.
When you're satisfied with your configuration:
make clean install
Anytime you edit the config file the above command must be rerun before any new options become available.
Please see Additional configuration below for more details.
tlock
Then either enter your password or your tlock password, if you have any. Et voilà.
See Troubleshooting for issues with resume.
Create a new resume@.service
file in
/etc/systemd/system
or edit with care it if you
already have one:
[Unit]
Description=User resume from suspend actions
After=suspend.target
[Service]
User=%I
Environment=DISPLAY=:0
ExecStart=/usr/local/bin/tlock
[Install]
WantedBy=suspend.target
Then enable and start the service for your user like this:
systemctl enable --now resume@USER.service
Where USER is your username.
Verify it is working as expected with:
systemctl status resume@USER.service
You can now suspend your system:
systemctl suspend
And on resume tlock should be run.
We chose to follow original slock on removing DPMS settings, so you can easily customize them separately.
Here's an example script that you could run instead of tlock from your systemd service:
#!/bin/sh
# Stop music or ignore if not playing
/usr/bin/playerctl pause || true
# Close all notifications
/usr/bin/dunstctl close-all
# Disable dpms
/usr/bin/xset -dpms &
# Run tlock
/usr/local/bin/tlock
# Re-enable dpms
/usr/bin/xset +dpms
Of course this is all optional configuration but leaving DPMS unhandled may constitute a security issue, for instance unlocking the screen automatically after a certain timeout.
This is most likely not tlock's fault but the resume service's.
You can easily circumvent this by using the suspend service instead:
[Unit]
Description=User before suspend actions
Before=sleep.target
[Service]
User=%I
Environment=DISPLAY=:0
ExecStart=/usr/local/bin/tlock
[Install]
WantedBy=sleep.target
Enable as for the resume service.
It may be briefly flashing the locked screen before suspending but I believe that's better than the other way around.
Please open an issue or a PR about any issue or whatever.